Best Practices for Securing Open Source Code (Dark Reading)


Recently, a Forrester Research report called attention to open source’s preeminence in application development, noting that custom code now often comprises only 10% to 20% of many applications.

Although traditional application security tools — dynamic analysis security testing (DAST) and static analysis security testing (SAST) — are effective in finding bugs in proprietary application code, they aren’t effective in identifying vulnerabilities in open source components “in the wild.” With SAST, this is true even months or years after the bugs have been publicly disclosed. In fact, most open source vulnerabilities are reported by security researchers and not found by DAST and SAST tools. Since 2004, more than 74,000 vulnerabilities have been disclosed by the National Vulnerability Database (NVD), but only a handful of those disclosures reference commercial security tools such as DAST, SAST, and fuzzers.