Open source security flaws found in 70 percent of applications
New research from application security specialist Veracode finds seven in 10 applications have a security flaw in an open source library on initial scan, highlighting how use of open source can introduce flaws, increase risk, and add to security debt.
The study analyzed the component open source libraries across the Veracode platform database of 85,000 applications, accounting for 351,000 unique external libraries. Nearly all modern applications, including those sold commercially, are built using some open source components.
This means that a single flaw in one library will cascade to all applications using that code. According to Chris Eng, chief research officer at Veracode, "Open source software has a surprising variety of flaws. An application's attack surface is not limited to its own code and the code of explicitly included libraries, because those libraries have their own dependencies. In reality, developers are introducing much more code, but if they are aware and apply fixes appropriately, they can reduce risk exposure."
Among other findings are that the most commonly included libraries are present in over 75 percent of applications for each language. Most flawed libraries end up in code indirectly, 47 percent of those flawed libraries in applications are transitive -- in other words, not pulled in directly by developers, but are being pulled in by upstream libraries. Library-introduced flaws in most applications can be fixed with only a minor version update; major library upgrades are not usually required.
You can find out more in the full report which is available from the Veracode site.