Compiled by app security firm Veracode, the report (opens in new tab) is based on an analysis of 13 million scans of more than 86,000 repositories, with a total of over 301,000 unique open source libraries.
Based on its analysis, Veracode discovered almost all the scanned repositories include libraries with at least one vulnerability.
- These are the best endpoint protection tools (opens in new tab)
- Check our list of the best firewall apps and services (opens in new tab)
- Protect your devices with these best antivirus software (opens in new tab)
“The security of a library can change quickly, so keeping a current inventory of what’s in your application is crucial. We found that once developers pick a library, they rarely update it. With vendors facing increasing scrutiny around the security of their supply chain, there is simply no way to justify a ‘set it and forget it’ mentality,” said Chris Eng, Chief Research Officer at Veracode.
Veracode argues that since nearly all modern applications are built using third-party open source software, a single flaw in one library can quickly cascade into all apps using that code.
The report reveals that a good majority (92%) of flaws in the open source libraries can be fixed with an update, with most of them (69%) being only a minor update.
Furthermore, even when an update results in additional updates, nearly two-thirds of these will be only a minor version change and are unlikely to break functionality of even the most complex applications.
The revelations in the report give color to the recent US presidential order that mandates a software bill-of-materials (opens in new tab) (SBOM) from vendors supplying software solutions to US government agencies, to ensure the entire codebase is secure.
Eng stresses that it’s vital that developers keep the libraries up-to-date and respond quickly to new vulnerabilities as they’re discovered to ensure security throughout the software supply chain.
- Subscribe to Linux Format magazine (opens in new tab) for more Linux and open source goodness