Report: Open Source Libraries Hardly Updated in Companies

A 36-page report on software security from security vendor Veracode, titled State of Software Security (SoSS) v11: Open Source Edition, released in June, gives a poor report card to the majority of third-party libraries in repositories. According to the report, nearly 80% of these libraries are never updated by the developers who use them in their software. As a result, almost all of these repositories contained libraries with at least one security vulnerability, which could be fixed with a single update in 92% of cases.

Solid foundation

Veracode’s report (download only after registration) seems to have a solid basis, as Günter Born reports in his blog. Accordingly, 13 million scans of more than 86,000 repositories with more than 301,000 libraries were analyzed for the report. In addition, some 2,000 developers were surveyed about their use of third-party software.

Fear of regressions

It becomes clear that there are two main reasons why developers do not install updates. On the one hand, this is simply forgotten in view of the large number of libraries used, even in proprietary software, and on the other hand, according to the motto “never touch a running system”, regressions introduced by updates are feared. However, the report makes it clear that 65% of such updates bring only minimal changes, which are hardly capable of causing any damage, even in complex applications.

Guidelines necessary

The most popular libraries come from tools and frameworks such as .NET, Go, JavaScript, Ruby, PHP, Python Java and Swift, although popularity can vary greatly from year to year. The report also addresses whether companies have policies when it comes to library selection and what they look like.

The takeaway is that supply chain security is a rising value in software, and the “lock in and forget” attitude of many developers is no longer sustainable. Since libraries can change quickly, an inventory of the libraries used in the company is essential, he said.

Related posts:

Bitcoin mining startup buys coal-fired power plants – and gets tax subsidies Binary optimizer: Facebook’s Bolt significantly speeds up the Linux kernel New Debian LTS version “Bullseye”: These are the innovations Raspberry Pi gets $45 million investment Linux Facts and figures Ubuntu Server NginxProxyManager Docker install Install Docker Engine on Ubuntu Does Unraid need a graphics card (GPU)? Unraid vs Freenas Intel AI accelerator meets Linux requirements for the first time Install ARK: Survival Evloved Server on Unraid Runs under WSL: First Linux malware appeared in Windows FreeBSD: Netflix streams at almost 400 GBit/s per server How to test memory with Memtest86+? Install Unraid Memtest86 Create bootable USB stick