Open source libraries are evolving, and without periodic updates, security could be compromised for both the library and the developers using it
Most applications today are built with third-party open source software. Yet, the third-party libraries are hardly updated when they are fed into a codebase by the developers. According to Veracode research, 79 percent of the time, the libraries are not updated even though over two-thirds of the fixes are minor and would not cause problems to the most complex functionalities of software applications.
Experts believe that the smallest adjustment or flaw in a library can affect all the applications that use the particular codebase. Software security comes at a risk. Surprisingly, security is not the top two considerations while developers select a library. Licensing is given more importance, but developers need to understand that security should not be underestimated.
Open source libraries are constantly evolving, and without periodic updates, security could be compromised. As a result, vendors and users of software could become vulnerable to cyber threats. Several possible fluctuations could cause vulnerabilities in the library over the years. As a result, the popularity of the libraries could also fluctuate.
For instance, four of the five popular libraries in Ruby lost their spots in the 2020 Top 10 list, and some of the most vulnerable Go libraries in 2019 became less vulnerable in the following year. An update can also fix the open source library flaws.
The Veracode research experts analyzed 12 million scans of over 86,000 repositories that contained over 301,000 libraries. They also conducted a survey among 2000 developers to understand their third-party software usage.
The results indicated a 92 percent success rate, with around 69 percent of the updates being minor tweaks. Security experts suggest organizations maintain a current inventory of all the components in an application.
The Executive Order in Cybersecurity released by the US government recently pays special attention to the software supply chain that will automatically force developers to list their components. Nearly 25 percent of the order focuses on the issue and software vendors will now have to disclose their software composition to ensure they have been through automated testing. Experts suspect scanning to be an efficient strategy to stay ahead of risks. Developers should also scan their software in the initial stages of the development cycle to significantly reduce the risk profile.
One of the main reasons that developers do not update the open source libraries is the lack of understanding about the relationship between their applications and the vulnerable aspects of the library. The survey revealed that only 52 percent of developers had a formal process of selecting third-party libraries. The rest of the developers were either unsure or unaware.
Developers who lack the information take over seven months to fix even half of their flaws. With proper understanding, developers can accomplish the task within three weeks. Additionally, with timely alerts about a vulnerable library, developers can address around 17 percent of flaws within the hour of the alert and 25 percent in a week.