Veracode’s State of Software Security: Open Source Edition examines the cascading effect of flaws in open source libraries widely used to create applications
BURLINGTON, Mass. – May 19, 2020 – Veracode, the largest independent global provider of application security testing (AST) solutions, today released new research that finds seven in 10 applications have a security flaw in an open source library on initial scan, highlighting how use of open source can introduce flaws, increase risk, and add to security debt.
The Veracode State of Software Security (SOSS): Open Source Edition analyzed the component open source libraries across the Veracode platform database of 85,000 applications, accounting for 351,000 unique external libraries. Nearly all modern applications, including those sold commercially, are built using some open source components. A single flaw in one library can cascade to all applications that leverage that code. According to Chris Eng, Chief Research Officer at Veracode, “Open source software has a surprising variety of flaws. An application’s attack surface is not limited to its own code and the code of explicitly included libraries, because those libraries have their own dependencies. In reality, developers are introducing much more code, but if they are aware and apply fixes appropriately, they can reduce risk exposure.”
Key findings include:
Open source libraries are ubiquitous and pose risks — but fixes are available
- The most commonly included libraries are present in over 75% of applications for each language.
- Most flawed libraries end up in code indirectly: 47% of those flawed libraries in applications are transitive – in other words, not pulled in directly by developers, but are being pulled in by upstream libraries. Library-introduced flaws in most applications can be fixed with only a minor version update; major library upgrades are not usually required.
- Not all libraries have Common Vulnerabilities and Exposures (CVEs) - this means developers can’t rely only on CVEs to understand library flaws. For example, more than 61% of flawed libraries in JavaScript contain vulnerabilities without corresponding CVEs.
Language makes a difference
- Some language ecosystems tend to pull in many more transitive dependencies than others. In more than 80% of JavaScript, Ruby, and PHP applications, the majority of libraries are transitive dependencies.
- Language selection makes a difference both in terms of the size of the ecosystem and in the prevalence of flaws in those ecosystems. Including any given PHP library has a greater than 50% chance of bringing a security flaw along with it.
- Among the OWASP Top Ten flaws, weaknesses around access control are the most common, representing over 25% of all flaws. Cross-Site Scripting is the most common vulnerability category found in open source libraries – found in 30% of libraries – followed by insecure deserialization (23.5%) and broken access control (20.3%).
Click here to download Veracode’s State of Software Security: Open Source Edition and click here to learn more about Veracode Software Composition Analysis.
About Veracode
Veracode is a global leader in Application Risk Management for the AI era. Powered by trillions of lines of code scans and a proprietary AI-assisted remediation engine, the Veracode platform is trusted by organizations worldwide to build and maintain secure software from code creation to cloud deployment. Thousands of the world’s leading development and security teams use Veracode every second of every day to get accurate, actionable visibility of exploitable risk, achieve real-time vulnerability remediation, and reduce their security debt at scale. Veracode is a multi-award-winning company offering capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, and Penetration Testing.
Learn more at www.veracode.com, on the Veracode blog, and on LinkedIn and Twitter.
Copyright © 2024 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.
Press and Media Contacts
Veracode:
Katy Gwilliam,
Head of Global Communications, Veracode
kgwilliam@veracode.com
+44.7584.341.110
Related Links
veracode.com