'Set it and forget it' attitude to open-source software has become a major security problem, says Veracode

Study finds a whole sea of outdated third-party libraries

There's a minefield of security problems bubbling under the surface of modern software, Veracode has claimed in its latest report, thanks to developers pulling third-party open-source libraries into their code bases – then never bothering to update them again.

"The vast majority of today's applications use open source code. The security of a library can change quickly, so keeping a current inventory of what's in your application is crucial," Chris Eng, Vercode's chief research officer, said. "We found that once developers pick a library, they rarely update it.

"With vendors facing increasing scrutiny around the security of their supply chain, there is simply no way to justify a 'set it and forget it' mentality. It's vital that developers keep those components up-to-date and respond quickly to new vulnerabilities as they’re discovered."

In its latest report, "State of Software Secuity v11: Open Source Edition", application testing specialist Veracode revealed that a claimed 80 per cent of included third-party libraries are never updated – and that almost all of the code repositories analysed included libraries with at least one vulnerability.

That's no small number: the company used data from 13 million scans covering 86,000 repositories, in turn containing over 301,000 unique libraries. The report also cites responses from almost 2,000 developers.

Elsewhere in the report Veracode claimed that a whopping 92 per cent of the flaws discovered in third-party libraries could be fixed by simply updating to the latest version, with two-thirds of fixes being "minor and non-disruptive to the functionality of even the most complex software applications."

The report also highlighted that a slim majority, 52 per cent, of developers claimed to have a formal process for the selection of third-party libraries, with a quarter saying they are either unsure or unaware of the existence of such a process, and that "security" is the third biggest concern when selecting a library – with "functionality" and "licensing" topping the leader board.

"Although alarming, these results are not entirely surprising," application security expert Sean Wright told The Register. "We see time and time again that libraries are often not updated. Often this comes down to libraries not being effectively tracked.

"There's a reason why this type of vulnerability has a special place in the current OWASP [Open Web Application Security Project] Top 10 list. Organisations have to start tracking the libraries which they use in their software, and ensure that any identified vulnerabilities are appropriately prioritised."

"If you want to see what happens when you don't update libraries," Wright added, "just look to the 2017 Equifax breach. That cost the organisation around $1.4bn. The fix for the underlying vulnerability could have potentially involved a single line of code."

Veracode, of course, pointed to the code-scanning technology it just so happens to provide as the solution. "The growing popularity of open-source software, combined with increasingly demanding development cycles, results in a higher propensity to software vulnerabilities," claimed Chris Wysopal, co-founder and chief technology officer.

"Scanning earlier in the process significantly reduces the risk profile, and most fixes are minor so will not impact the functionality of even the most complex software."

The full report is available to download here.

OpenUK chief executive Amanda Brock said of the report: "We are pleased to see this detailed focus emerging, as the open-source software communities working on legal and governance have evolved over the last decade to produce a number of important tools including the Open Chain, ISO approved, standard for supply chain and the SPDX Software Bill of Material (SBOM) standard, currently seeking ISO approval.

"Open source is indeed like gravity today and all around us, in a way that is inescapable, particularly in our infrastructure, due to inherent transparency and the wisdom of Linus's law – that many eyes make bugs shallow.

"In many ways I suspect the open-source code is likely better positioned to managing security risks than our friends in the proprietary world. This is not an open-source issue, but a consequence of digitalisation and a general software issue. It will be solved through open collaboration to find the best resolutions." ®

Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading
  • Internet went offline in Pakistan as protestors marched for ousted prime minister
    Two hour outage 'consistent with an intentional disruption to service' said NetBlocks

    Internet interruption-watcher NetBlocks has reported internet outages across Pakistan on Wednesday, perhaps timed to coincide with large public protests over the ousting of Prime Minister Imran Khan.

    The watchdog organisation asserted that outages started after 5:00PM and lasted for about two hours. NetBlocks referred to them as “consistent with an intentional disruption to service.”

    Continue reading
  • Suspected phishing email crime boss cuffed in Nigeria
    Interpol, cops swoop with intel from cybersecurity bods

    Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

    His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

    The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

    Continue reading

Biting the hand that feeds IT © 1998–2022