Skip to main content

Open source software can be a security time bomb for businesses

Developers
(Image credit: Shutterstock)

A majority of developers never update third-party open source libraries after including them in a codebase, a new report has found.

Compiled by app security firm Veracode, the report is based on an analysis of 13 million scans of more than 86,000 repositories, with a total of over 301,000 unique open source libraries.

Based on its analysis, Veracode discovered almost all the scanned repositories include libraries with at least one vulnerability. 

“The security of a library can change quickly, so keeping a current inventory of what’s in your application is crucial. We found that once developers pick a library, they rarely update it. With vendors facing increasing scrutiny around the security of their supply chain, there is simply no way to justify a ‘set it and forget it’ mentality,” said Chris Eng, Chief Research Officer at Veracode.

Software bill-of-materials

Veracode argues that since nearly all modern applications are built using third-party open source software, a single flaw in one library can quickly cascade into all apps using that code.

The report reveals that a good majority (92%) of flaws in the open source libraries can be fixed with an update, with most of them (69%) being only a minor update.

Furthermore, even when an update results in additional updates, nearly two-thirds of these will be only a minor version change and are unlikely to break functionality of even the most complex applications.

The revelations in the report give color to the recent US presidential order that mandates a software bill-of-materials (SBOM) from vendors supplying software solutions to US government agencies, to ensure the entire codebase is secure.

Eng stresses that it’s vital that developers keep the libraries up-to-date and respond quickly to new vulnerabilities as they’re discovered to ensure security throughout the software supply chain.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.