A majority of developers never update third-party open source libraries after including them in a codebase, a new report has found.
Compiled by app security firm Veracode, the report is based on an analysis of 13 million scans of more than 86,000 repositories, with a total of over 301,000 unique open source libraries.
Based on its analysis, Veracode discovered almost all the scanned repositories include libraries with at least one vulnerability.
“The security of a library can change quickly, so keeping a current inventory of what’s in your application is crucial. We found that once developers pick a library, they rarely update it. With vendors facing increasing scrutiny around the security of their supply chain, there is simply no way to justify a ‘set it and forget it’ mentality,” said Chris Eng, Chief Research Officer at Veracode.
Software bill-of-materials
Veracode argues that since nearly all modern applications are built using third-party open source software, a single flaw in one library can quickly cascade into all apps using that code.
The report reveals that a good majority (92%) of flaws in the open source libraries can be fixed with an update, with most of them (69%) being only a minor update.
Furthermore, even when an update results in additional updates, nearly two-thirds of these will be only a minor version change and are unlikely to break functionality of even the most complex applications.
The revelations in the report give color to the recent US presidential order that mandates a software bill-of-materials (SBOM) from vendors supplying software solutions to US government agencies, to ensure the entire codebase is secure.
Eng stresses that it’s vital that developers keep the libraries up-to-date and respond quickly to new vulnerabilities as they’re discovered to ensure security throughout the software supply chain.
