“The loss of $300 million in cryptocurrency shows the urgent need for businesses and cryptocurrency firms to know what libraries and binaries they’re using.
“With open source binaries forming the basis of 80 – 90% of applications, they play a vital role in driving innovation and powering the world as we know it. However, Parity ’s issues are a stark reminder that all binaries are not created equal.
“To address this, it is imperative that strict governance protocols are in place to determine which components are safe to use, and which ones are vulnerable. In Parity’s case, the lack of such protocol meant that a vulnerable component could be deployed in what should have been a highly governed environment, leading to the loss of hundreds of millions of dollars.
“Faults such as these should serve as a call to arms for legislators, and organisations that release known vulnerable code into production (especially when it can’t be patched) should understand that they could be liable for gross negligence. This has already started to happen in the UK, with organisations that neglect to repair systems using vulnerable binaries incurring fines. As more and more legislators recognise the huge damage vulnerable components can cause, we expect to see an increasing number of nations following suit.
“Fortunately, the challenges of faulty components are easily solved by using a DevSecOps approach. This enables security and governance to be automated from the start and implemented everywhere within a DevOps pipeline. Instead of using manual reviews of code, which leaves businesses at risk of human error, DevOps practices can utilise machines to adjudicate all components. For Parity, this would have prevented the error and subsequent loss. However, while it might be too late for the digital wallet service, this should serve as clear reminder to others that while use of third party binaries makes every organisation’s development team more productive, lack of governance around their use may put them at risk. Increased governance practices will become even more relevant in May 2018 when GDPR enforces the requirement to design security in from the beginning .”
– Derek Weeks, VP and DevOps Advocate, Sonatype