Station 9, a special research team established by Endor Labs to find vulnerabilities in the application development process, has released its first study.
“The State Of Dependency Management,” a new report from Endor Labs, a startup focused on securing the reuse of open source software in application development, provides an unprecedented look at the pervasive but frequently unmonitored use of existing open source software in application development and the risks associated with it. As one illustration, the study shows that a startling 95% of all vulnerabilities are discovered in transitive dependencies, which are open source code packages that are not directly chosen by developers but are nevertheless drawn into projects.
This is the inaugural report from Station 9, a cutting-edge research platform created by Endor Labs that brings together experts from many fields throughout the globe. Station 9 is composed of Georgios Gousios, who is in charge of software analysis, and Henrik Plate, who is in charge of security research, and is committed to detecting weaknesses in the software supply chain and identifying alternative remedies.
The latest paper from Station 9 provides a thorough review of the difficulties associated with the use of open source software and shows how standard approaches to vulnerability mitigation need to be examined much more carefully. The issue isn’t simply the broad use of open source code in new apps; rather, it’s the fact that developers only choose a small sample of these software requirements. The remaining dependencies are “transitive” or indirect ones that are automatically added to the codebase. This creates the conditions for important, possible vulnerabilities that could have an equal impact on development and security.
The investigation’s findings include the following:
- It is true that transitive dependencies contain 95% of all vulnerabilities, making it very challenging for engineers to determine the full severity of these problems or even whether they are even solvable.
- Determining criticality is not an easy task, as shown by a comparison of the two most well-liked community initiatives to do so—Census II and OpenSSF Criticality Scores. Organizations must choose for themselves which open source projects are critical because 75% of the packages in Census II have a Criticality Score of less than 0.64.
- Recent supply chain attacks have benefited greatly from dependency confusion, yet these attacks are often undetectable by the risk indicators covered by widely adopted efforts.
- There will be problems because 30% of the most popular Census II packages had their most recent release before 2018 and 50% of them didn’t have one until 2022. These can lead to major operational and security problems in the future.
- New does not equate to secure: Even after updating to a package’s most recent version, there is still a 32% risk that it has known security flaws.
- The most crucial factor in prioritisation is reachability; disregarding flaws in test dependencies or basing decisions only on security measures (such as CVSS scores) only reduces the likelihood of a vulnerability by 20%.
The purpose of Station 9, which takes its name from the research centre on Endor in the Star Wars universe, is to study the difficulties involved in using open source software in the workplace and to provide guidelines and best practises for choosing, securing, and managing OSS. In the near future, the team will continue to publish new findings through publications, presentations at trade shows, and other means.