Veracode SoSS report: Significant open-source security gap for vendors and users
Researchers have highlighted a significant gap in open-source security, with 80% of third-party libraries never getting updated by developers after being included in a codebase.
The global application security testing company, Veracode, has released new research that finds nearly 80% of the time, third-party libraries are never updated by developers after being added to a codebase, even though more than two-thirds of fixes are minor and non-disruptive even for very complex applications.
Given open-source libraries are continuously evolving, something that might be secure today, may not be tomorrow, which potentially creates significant security risks for software vendors and users.
The research, Veracode State of Software Security v11: Open Source Edition, analysed 13 million scans of more than 86,000 repositories containing more than 301,000 unique libraries and also surveyed nearly 2,000 developers to understand how they use third-party software.
Veracode also found notable fluctuations in library popularity and vulnerability year over year. For example, four of the five most popular libraries in Ruby in 2019 were no longer in the top 10 in 2020, while some of the most vulnerable libraries in Go in 2019 became less vulnerable in 2020 and vice versa.
As most modern applications are built using third-party open-source software, a single flaw or adjustment in one library can cascade into all applications using that code, having a direct impact on software security.
“Almost all repositories include libraries with at least one vulnerability,” says Veracode chief research officer, Chris Eng.
“The vast majority of today’s applications use open-source code. The security of a library can change quickly, so keeping a current inventory of what’s in your application is crucial. We found that once developers pick a library, they rarely update it.
He says with vendors facing increasing scrutiny around the security of their supply chain, there’s simply no way to justify a set and forget mentality. He says it’s vital developers keep those components up-to-date and respond quickly to new vulnerabilities as they’re discovered.
According to Veracode, a developers lack of contextual understanding about how a vulnerable library relates to their application can be a roadblock. Developers who report they lack this information will take more than seven months to fix 50% of flaws, but this reduces dramatically to three weeks when they have the right information and guidance.
Veracode says developers can respond quickly when alerted to a vulnerable library, addressing 17% of flaws within an hour and 25% within a week.
Key findings of the research include:
- 92% of open-source library flaws can be fixed with an update, and 69% of updates are only a minor version change or smaller.
- Even where an update to an open-source library produces additional updates, nearly two-thirds of these will be only a minor version change and are unlikely to break the functionality of even the most complex applications.
- Only 52% of developers surveyed have a formal process for selecting third-party libraries, while more than a quarter are either unsure or even unaware if there is a formal process in place.
- Security is only the third-rated consideration when selecting a library, while Functionality and Licensing take the first and second spots respectively.