Lineaje Report Reveals Developers Spend Half Of Their Time Addressing Vulnerabilities

Guest: Nick Mistry (LinkedIn)
Company: Lineaje (Twitter)
Show: Newsroom

A recent report by Lineaje found that around 50% of all software is not well-maintained, even the most popular open-source packages. Furthermore, the packages that do not have available fixes are often classed as critical and high severity. Even for open source whose communities are active in tackling vulnerabilities and applying fixes, security is still an issue. With security tooling becoming even more effective at identifying vulnerabilities, though, many developers are left swamped in addressing these issues.

In this episode of TFiR: Newsroom, Nick Mistry, SVP, CISO at Lineaje, talks about the key challenges of securing open source and CISA’s open-source software security roadmap. He goes on to discuss the key findings of their recent report and his focus on helping all the constituents move forward to secure open source.

Key highlights from this interview:

Mistry gives us an overview of Lineaje, the software supply chain security management platform that aims to prevent a software supply chain attack.
Open source makes up the majority of all production software. Mistry talks about the challenges of understanding the entire inventory of software components in open source software, saying how current security tools will only identify the first or second level set of software components that are inside and not the third or fourth layer.
Mistry discusses the level of awareness the customers have when it comes to tracking SBOMs. He feels that awareness has increased but having the entire inventory of software or software components can be a daunting task and security tooling does not uncover all the components and software. Also, he sees SBOMs as a starting point for visibility so that you can start identifying all the risks of those components.
Compatibility is one of the major roadblocks to implementing the latest patches across all of the different pieces of open source, including the libraries and frameworks. Mistry talks about developers having to make that difficult trade-off to upgrade and apply the patches but also to risk breaking the software.
Mistry takes us through some of the key considerations and focuses on CISA’s open source software security roadmap and how they are helping you with analysis in determining the right trade-offs. He talks about an AI model that is rolling out to help with making those decisions.
Mistry gives us his views on the Cyber Resilience Act (CRA), saying that he does not think that putting the onus on open-source communities is going to bear fruit. He feels it’s a better route for software developers who are leveraging open source to be better able to analyze and understand the strengths, and weaknesses, and by being able to choose which open source components to pick.
Lineaje has launched a report following an analysis of some 114,000 open-source packages that aimed to identify some of the common patterns. Mistry talks about the report’s key findings, such as that around 50% of the open source that they analyzed was not well maintained with upgrades or fixes for the vulnerabilities.
Mistry discusses the impact of generative AI on security saying that one of the concerns is that malicious actors are capable of introducing malicious packages and frameworks within the suggestions the generative AI solutions are providing.
Mistry talks about the importance of leveraging AI and its capabilities effectively to address risks, such as using AI to identify risks and perform compatibility analysis and enabling humans to interact with their data set using the natural language interfaces of LLMs.
Mistry feels that the US government is taking a balanced approach in working with the open-source community. He talks about holding software producers accountable for their software and understanding the risks yet not expecting that change overnight. He discusses his focus on how all constituents can move forward in this direction.
Although security is often seen just in terms of a product or tool, culture plays a crucial role too. Mistry talks about how the ability to identify vulnerabilities has increased substantially, but now developers are spending over 50% of their time addressing vulnerabilities and fixes. However, the overwhelming majority of those fixes are not reducing risk. Mistry feels that context information is crucial in reducing risk and prioritizing what is fixed.

This summary was written by Emily Nicholls.

Lineaje Report Reveals Developers Spend Half Of Their Time Addressing Vulnerabilities

Teleskope Adds Automated Remediation Features To Its Data Protection Platform

Tame Cloud Costs With Amberflo’s Cloud Metering And Usage-Based Platform

Teleskope Adds Automated Remediation Features To Its Data Protection Platform

Tame Cloud Costs With Amberflo’s Cloud Metering And Usage-Based Platform

You may also like

Open Source’s Contributor Crisis Is a Security Risk. Here’s How CNCF’s Merge Forward Is Fixing It | TFiR

Why Cloud Native HA Isn’t Enough: The Case for Application Awareness | Philip Merry, SIOS Technology | TFiR

AI Code Is Leaking 29M Secrets: What Developers Must Know Now | Dwayne McDaniel, GitGuardian | TFiR

AI Token Costs Are Spiraling — Rob Hirschfeld of RackN on Hybrid Infrastructure | TFiR

AI Agents Fail in Production Without Workflow State Recovery | Mark Fussell, Dapr | TFiR

How Does JDK 26’s HTTP/3 API Transform Microservices Performance Using UDP | TFiR