Report: Open Source Libraries Hardly Updated in CompaniesSeptember 21, 2021
A 36-page report on software security from security vendor Veracode, titled State of Software Security (SoSS) v11: Open Source Edition, released in June, gives a poor report card to the majority of third-party libraries in repositories. According to the report, nearly 80% of these libraries are never updated by the developers who use them in their software. As a result, almost all of these repositories contained libraries with at least one security vulnerability, which could be fixed with a single update in 92% of cases.
Veracode’s report (download only after registration) seems to have a solid basis, as Günter Born reports in his blog. Accordingly, 13 million scans of more than 86,000 repositories with more than 301,000 libraries were analyzed for the report. In addition, some 2,000 developers were surveyed about their use of third-party software.
Fear of regressions
It becomes clear that there are two main reasons why developers do not install updates. On the one hand, this is simply forgotten in view of the large number of libraries used, even in proprietary software, and on the other hand, according to the motto “never touch a running system”, regressions introduced by updates are feared. However, the report makes it clear that 65% of such updates bring only minimal changes, which are hardly capable of causing any damage, even in complex applications.
The takeaway is that supply chain security is a rising value in software, and the “lock in and forget” attitude of many developers is no longer sustainable. Since libraries can change quickly, an inventory of the libraries used in the company is essential, he said.