The Veracode State of Software Security (SoSS) v11: Open Source Edition found that 79% of the time, third-party libraries are never updated by developers after being included in a codebase. This edition of SoSS focuses on open source applications and components — and based on the analysis of 13 million scans of more than 86,000 repositories containing more than 301,000 unique libraries. The analysis also includes survey results on the use of third-party software from nearly 2,000 developers.
The libraries are not updated despite the fact that more than two-thirds of fixes are considered minor and non-disruptive to the application’s overall functionality. Further, 92% of open source library flaws can be fixed with an update, and 69% of updates are only a minor version change or smaller. Open source libraries constantly evolve, so what appears secure today may no longer be so tomorrow, potentially creating a significant security risk for software vendors and users.
The good news is that developers typically respond quickly once they learn about vulnerable libraries in the codebase. Nearly 17 percent of vulnerable libraries are fixed within an hour of the developer discovering a library with a vulnerability, and 25 percent are fixed within seven days, Vera code said.
Focusing on the open source libraries in codebases today, how organizations are managing the security of these libraries, fluctuations in library popularity and vulnerability year over year, and best practices on using open source code securely, the research also finds that only 52% of developers surveyed have a formal process for selecting third-party libraries, while more than a quarter are either unsure -– or even unaware –- if there is a formal process in place. Additionally, developers rated “Security” only the third most important consideration when selecting a library, while “Functionality” and “Licensing” took the first and second spots respectively.
Since nearly all modern applications are built using third-party open source software, a single flaw or adjustment in one library can cascade into all applications using that code, meaning that constant changes in library popularity, vulnerability, and updates have a direct impact on software security.
Read the full Veracode SoSS v11: Open Source Edition.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.
Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more