There is a minefield of security issues bubbling beneath the surface of modern software, Veracode claimed in its latest report, thanks to developers who have integrated third-party open source libraries into their code bases – never caring about update them again.
“The vast majority of applications today use open source code. The security of a library can change quickly, so keeping an up-to-date inventory of what’s in your application is crucial, ”said Chris Eng, Director of Research at Vercode. “We have found that once developers choose a library, they rarely update it.
“With suppliers increasingly under scrutiny for the security of their supply chain, there is simply no way to justify a ‘set it and forget it’ mentality. they are discovered. “
In its latest report, State of Software Secuity v11: Open Source Edition, application testing specialist Veracode found that 80% of included third-party libraries are never updated – and almost all code repositories scanned included libraries with at least one vulnerability.
That’s not a small number: the company used data from 13 million scans spanning 86,000 repositories, in turn containing more than 301,000 unique libraries. The report also quotes responses from nearly 2,000 developers.
Elsewhere in the report, Veracode claimed that a whopping 92% of laws discovered in third-party libraries could be fixed simply by updating to the latest version, with two-thirds of the fixes being “minor and non-disruptive to functionality as well. the most complex software applications. “
The report also noted that a slim majority, 52%, of developers said they had a formal process for selecting third-party libraries, with a quarter saying they were not sure or were unaware of the existence of a such a process, and that “Security” is the third biggest concern when selecting a library – with “functionality” and “license” at the top of the rankings.
“While alarming, these results are not entirely surprising,” said Sean Wright, application security expert. The register. “We find time and time again that libraries are often not updated. It often boils down to the fact that libraries are not tracked effectively.
“There is a reason why this type of vulnerability has a special place in the current OWASP. [Open Web Application Security Project] List of the top 10. Organizations need to start tracking the libraries they use in their software and ensure that all identified vulnerabilities are properly prioritized. “
“If you want to see what happens when you don’t update the libraries,” Wright added, “just look at the Equifax breach in 2017. It cost the organization around $ 1.4 billion. The fix for the underlying vulnerability could have involved a single line of code. “
Veracode, of course, pointed out the code analysis technology it provides just as a solution. “The growing popularity of open source software, combined with increasingly demanding development cycles, translates into a higher propensity for software vulnerabilities,” said Chris Wysopal, co-founder and chief technology officer.
“Scanning earlier in the process significantly reduces the risk profile, and most fixes are minor and therefore will not impact the functionality of even the most complex software.”
The full report can be downloaded here.
OpenUK Chief Executive Officer Amanda Brock said of the report: “We are delighted to see this detailed focus emerge, as open source software communities working on law and governance have evolved over the past few years. decade to produce a number of important tools, including the open chain. , ISO supply chain standard and SPDX Software Bill of Material (SBOM) standard, currently seeking ISO approval.
“Open source is indeed like gravity today and all around us, in an unavoidable way, especially in our infrastructure, due to the inherent transparency and wisdom of Linus’ Law – so much many eyes make bugs superficial.
“In many ways, I suspect that open source code is probably better positioned to manage security risks than our friends in the proprietary world. This is not an open source issue, but a consequence of digitization and a general software issue. solved through open collaboration to find the best resolutions. “®