Glaring Gap in Open Source Security: Veracode Finds 80 percent of Libraries Used in Software Are Never Updated
BURLINGTON, Mass., June 22, 2021 – Veracode, the largest global provider of application security testing (AST) solutions, today launched new research that finds nearly 80 percent of the time, third-party libraries are never updated by developers after being included in a codebase - despite the fact that more than two thirds of fixes are minor and non-disruptive to the functionality of even the most complex software applications. Open source libraries constantly evolve so what appears secure today may no longer be so tomorrow, potentially creating a significant security risk for software vendors and users. The Veracode State of Software Security (SoSS) v11: Open Source Edition analyzed 13 million scans of more than 86,000 repositories containing more than 301,000 unique libraries, and also surveyed nearly 2,000 developers to understand how they use third-party software.
The Veracode research also finds notable fluctuations in library popularity and vulnerability year over year. For example, four of the five most popular libraries in Ruby in 2019 were no longer in the top 10 in 2020, while some of the most vulnerable libraries in Go in 2019 became less vulnerable in 2020 and vice versa. Since nearly all modern applications are built using third-party open source software, a single flaw or adjustment in one library can cascade into all applications using that code, meaning these constant changes have a direct impact on software security.
Almost all repositories include libraries with at least one vulnerability. Chris Eng, Chief Research Officer at Veracode, explains, "The vast majority of today's applications use open source code. The security of a library can change quickly, so keeping a current inventory of what's in your application is crucial. We found that once developers pick a library, they rarely update it. With vendors facing increasing scrutiny around the security of their supply chain, there is simply no way to justify a 'set it and forget it' mentality. It's vital that developers keep those components up-to-date and respond quickly to new vulnerabilities as they're discovered."
Building secure applications with open source code doesn't have to be taxing
Despite the dynamic nature of the software landscape, developers are often not updating open source libraries after including them in software applications. A lack of contextual understanding about how a vulnerable library relates to their application can be a roadblock. For example, developers who report they lack this information will take more than seven months to fix 50 percent of flaws, but this reduces dramatically to three weeks when they have the right information and guidance. Moreover, they can respond quickly when alerted to a vulnerable library, addressing 17 percent of flaws within an hour and 25 percent within a week. Thus, when provided with accurate information in a timely manner, developers can appropriately prioritize security and remediate flaws fast.
Other key findings include:
- 92 percent of open source library flaws can be fixed with an update, and 69 percent of updates are only a minor version change or smaller;
- Even where an update to an open source library produces additional updates, nearly two thirds of these will be only a minor version change and are unlikely to break functionality of even the most complex applications;
- Only 52 percent of developers surveyed have a formal process for selecting third-party libraries, while more than a quarter are either unsure – or even unaware – if there is a formal process in place; and
- "Security" is only the third-rated consideration when selecting a library, while "Functionality" and "Licensing" take the first and second spots respectively
Securing the software supply chain is gaining White House attention
Last month, the White House released an Executive Order on Cybersecurity of which nearly 25 percent focused on securing the software supply chain. Moving forward, software vendors selling to the Federal Government will be required to disclose the composition of their software and ensure that software applications have gone through automated testing.
Chris Wysopal, Co-Founder and Chief Technology Officer at Veracode, said, "As the Executive Order continues to take shape, anyone developing software should ensure they are scanning their software early and often in the development lifecycle. The growing popularity of open source software, combined with increasingly demanding development cycles, results in a higher propensity to software vulnerabilities. Scanning earlier in the process significantly reduces the risk profile, and most fixes are minor so will not impact the functionality of even the most complex software."
Click here to download Veracode's State of Software Security v11: Open Source Edition.