Some days ago Veracode (an application security company) made it known via a blog post, a study on the security problems caused by the incorporation of open source libraries in applications.
As a result of scanning 86 repositories and a survey of nearly 79 developers, it was determined that XNUMX% of third-party library projects transferred to code are never subsequently updated.
Veracode notes in his studyor that the main problem associated with security problems in applications that use open source libraries is that instead of dynamically linking them, many companies they just include the necessary libraries in your projects, without taking into account the possible updates or solutions to errors found later in these libraries.
At the same time, notes that outdated library code causes security issues and that in this study it shows that around 92% of the cases can be avoided simply by updating the library code.
Today we publish the open source edition of our annual State of Software Security report. Focusing exclusively on the security of open source libraries, the report includes analysis of 13 million scans from more than 86.000 repositories, containing more than 301.000 unique libraries.
In last year's open source edition report, we looked at a snapshot of the use and security of open source libraries. This year, we went beyond a point-in-time snapshot to examine the dynamics of library development and how developers react to library changes, including bug discovery.
Besides that the excuses that libraries are not updated, It's due to a possible compatibility failure which are mostly unfounded. Faced with these kinds of excuses Veracode proved the opposite in their study that about 69% of the cases studied, said vulnerabilities were fixed in patch releases that were not related to changes in functionality.
The report reveals that while open source libraries are the foundation of almost all software, it is not a solid foundation, but rather a foundation that is constantly evolving and changing. However, development practices do not always adapt to the dynamic nature of these libraries, leaving organizations exposed.
Also mentions that the impact is also exerted by informing developers on the appearance of vulnerabilities: si the developers were notified of a problem in the library, in the 17% of the cases the problem was solved in an hour and 25% in a week.
If there was information about how a vulnerability in the library could lead to compromise an application, in 50% of cases the patch was released in three weeks, and without providing information, the removal of the vulnerability had to wait 7 months or more.
A quarter part of developers surveyed said that when choosing a library to embed, the main focus is on functionality and code licenses, and only then is security considered.
We look at the most popular libraries in 2019 vs. 2020, as well as the most popular libraries with known vulnerabilities in 2019 vs. 2020. Bottom line: you can add the use of open source libraries to the list of things that changed dramatically in 2020. What's hot and what's not, and what's safe and what's not, changes quickly.
It should be noted that the situation with code license verification is no better: 54% of respondents admitted that they do not always verify the license for library code before integrating it into their product. Only 27% of respondents practice mandatory license compatibility verification.
Finally, if you are interested in knowing more about the study carried out by Veracode, you can consult the details In the following link.