Report: Open Source Libraries Hardly Updated in Companies

Report: Open Source Libraries Hardly Updated in Companies

September 21, 2021 0 By Tobias
Article Read aloud.

A 36-page report on software security from security vendor Veracode, titled State of Software Security (SoSS) v11: Open Source Edition, released in June, gives a poor report card to the majority of third-party libraries in repositories. According to the report, nearly 80% of these libraries are never updated by the developers who use them in their software. As a result, almost all of these repositories contained libraries with at least one security vulnerability, which could be fixed with a single update in 92% of cases.

Solid foundation

Veracode’s report (download only after registration) seems to have a solid basis, as Günter Born reports in his blog. Accordingly, 13 million scans of more than 86,000 repositories with more than 301,000 libraries were analyzed for the report. In addition, some 2,000 developers were surveyed about their use of third-party software.

Fear of regressions

It becomes clear that there are two main reasons why developers do not install updates. On the one hand, this is simply forgotten in view of the large number of libraries used, even in proprietary software, and on the other hand, according to the motto “never touch a running system”, regressions introduced by updates are feared. However, the report makes it clear that 65% of such updates bring only minimal changes, which are hardly capable of causing any damage, even in complex applications.

Guidelines necessary

The most popular libraries come from tools and frameworks such as .NET, Go, JavaScript, Ruby, PHP, Python Java and Swift, although popularity can vary greatly from year to year. The report also addresses whether companies have policies when it comes to library selection and what they look like.

The takeaway is that supply chain security is a rising value in software, and the “lock in and forget” attitude of many developers is no longer sustainable. Since libraries can change quickly, an inventory of the libraries used in the company is essential, he said.