Open source security flaws found in 70 percent of applications

2 Comments

open source

New research from application security specialist Veracode finds seven in 10 applications have a security flaw in an open source library on initial scan, highlighting how use of open source can introduce flaws, increase risk, and add to security debt.

The study analyzed the component open source libraries across the Veracode platform database of 85,000 applications, accounting for 351,000 unique external libraries. Nearly all modern applications, including those sold commercially, are built using some open source components.

This means that a single flaw in one library will cascade to all applications using that code. According to Chris Eng, chief research officer at Veracode, "Open source software has a surprising variety of flaws. An application's attack surface is not limited to its own code and the code of explicitly included libraries, because those libraries have their own dependencies. In reality, developers are introducing much more code, but if they are aware and apply fixes appropriately, they can reduce risk exposure."

Among other findings are that the most commonly included libraries are present in over 75 percent of applications for each language. Most flawed libraries end up in code indirectly, 47 percent of those flawed libraries in applications are transitive -- in other words, not pulled in directly by developers, but are being pulled in by upstream libraries. Library-introduced flaws in most applications can be fixed with only a minor version update; major library upgrades are not usually required.

Not all libraries have Common Vulnerabilities and Exposures (CVEs) -- this means developers can't rely only on CVEs to understand library flaws. For example, more than 61 percent of flawed libraries in JavaScript contain vulnerabilities without corresponding CVEs.

In addition some language ecosystems tend to pull in many more transitive dependencies than others. In more than 80 percent of JavaScript, Ruby, and PHP applications, for example, the majority of libraries are transitive dependencies.

You can find out more in the full report which is available from the Veracode site.

Image credit: Artur Szczybylo/Shutterstock

Tags: ,
2 Comments

2 Responses to Open source security flaws found in 70 percent of applications

Got News? Contact Us

Recent Headlines

LG expands xboom Buds lineup with Buds Plus and Buds Lite tuned by will.i.am

Parents struggle to keep pace as teens face rising risks from cyberbullying and deepfakes

US government says 'framework' for TikTok ownership deal has been agreed with China

Dirty data and why it’s a problem for business [Q&A]

Chrome prefetching will make your browsing seem faster – even if it’s not

Microsoft is giving Windows 11 users an internet speed test tool

WhatsApp threaded messages make for easier reading

Most Commented Stories

This updated Windows 11 clone is Linux underneath and makes your old PC run faster -- get it now

17 Comments

Forget Windows 11, Windows 12.2 is the 'next evolution' of Microsoft's OS

17 Comments

As Windows 10 reaches end of life, Windows 11 is LOSING market share

12 Comments

The brilliant Windows 12 is everything Windows 11 isn't -- and the Microsoft OS we deserve

11 Comments

Age verification laws are killing web traffic

9 Comments

Forget Tiny11, Nano11 takes Windows 11 debloating to the next level

9 Comments

Why using a VPN is becoming more important than ever

8 Comments

Microsoft is rolling out Windows 11 25H2

5 Comments

Why Trust Us



At BetaNews.com, we don't just report the news: We live it. Our team of tech-savvy writers is dedicated to bringing you breaking news, in-depth analysis, and trustworthy reviews across the digital landscape.

BetaNews, your source for breaking tech news, reviews, and in-depth reporting since 1998.

© 1998-2025 BetaNews, Inc. All Rights Reserved. About Us - Privacy Policy - Cookie Policy - Sitemap.