Research from Veracode suggests that 70 percent of apps have security flaws due to their use of open-source libraries.
The application security firm set out to determine the risk one flawed library can pose to software. For its The State of Software Security (SOSS): Open Source Edition report, Veracode analysed 351,000 libraries across the Veracode platform database of 85,000 applications.
On an initial scan, 70 percent of applications were found to have a security flaw resulting from the use of an open-source library.
Chris Eng, Chief Research Officer at Veracode, said:
“Open source software has a surprising variety of flaws. An application’s attack surface is not limited to its own code and the code of explicitly included libraries, because those libraries have their own dependencies.
In reality, developers are introducing much more code, but if they are aware and apply fixes appropriately, they can reduce risk exposure.”
Other key findings in the report include:
- Around 47 percent of flawed libraries end up in code through being pulled in by upstream libraries.
- Most flaws in libraries can be fixed with a minor version update, major upgrades are not usually required.
- More than 61% of flawed libraries in JavaScript contain vulnerabilities without corresponding Common Vulnerabilities and Exposures (CVEs).
Not all programming languages are affected equally. Veracode found that the majority of libraries are transitive dependencies in more than 80 percent of JavaScript, Ruby, and PHP applications.
PHP libraries pose a higher risk; with a greater than 50% chance of having a security flaw.
You can find a full copy of Veracode’s report here.
