- It added that the most flawed libraries end up in code indirectly and 47 per cent of those flawed libraries in applications are transitive
- Library-introduced flaws in most applications can be fixed with only a minor version update and major library upgrades are not usually required
Seven in 10 applications have a security flaw in an open source library on initial scan as per a new research by Veracode. It highlighted how the use of open source can introduce flaws, increase risk, and add to security debt.
The Veracode State of Software Security (SOSS): Open Source Edition analysed the component open source libraries across the Veracode platform database of 85,000 applications. This accounted for 351,000 unique external libraries. It said that nearly all modern applications, including those sold commercially, are built using some open source components. It added that a single flaw in one library can cascade to all applications that leverage that code.
Chris Eng, chief research officer at Veracode said, “Open source software has a surprising variety of flaws. An application’s attack surface is not limited to its own code and the code of explicitly included libraries, because those libraries have their own dependencies. In reality, developers are introducing much more code, but if they are aware and apply fixes appropriately, they can reduce risk exposure.”
Common Vulnerabilities and Exposures
The research stated that open source libraries are ubiquitous and pose risks but fixes are available. The most commonly included libraries are present in over 75 per cent of applications for each language. It added that the most flawed libraries end up in code indirectly and 47 per cent of those flawed libraries in applications are transitive. It means that they are not pulled in directly by developers, but are being pulled in by upstream libraries.
As per the research, library-introduced flaws in most applications can be fixed with only a minor version update and major library upgrades are not usually required. It also said that not all libraries have Common Vulnerabilities and Exposures (CVEs). Whar this means is that developers cannot rely only on CVEs to understand library flaws. For example, more than 61 per cent of flawed libraries in JavaScript contain vulnerabilities without corresponding CVEs.
The research also pointed that some language ecosystems tend to pull in many more transitive dependencies than others. It added that in more than 80 per cent of JavaScript, Ruby, and PHP applications, the majority of libraries are transitive dependencies.
Language selection
As per the research, the language selection makes a difference both in terms of the size of the ecosystem and in the prevalence of flaws in those ecosystems. Any PHP library has a greater than 50 per cent chance of bringing a security flaw along with it.
The report stated, “Among the OWASP Top Ten flaws, weaknesses around access control are the most common, representing over 25 per cent of all flaws. Cross-Site Scripting is the most common vulnerability category found in open source libraries – found in 30 percent of libraries – followed by insecure deserialisation (23.5 per cent) and broken access control (20.3 per cent).