Today, we published the open source edition of our annual State of Software Security report. Solely focused on the security of open source libraries, the report includes analysis of 13 million scans of more than 86,000 repositories, containing more than 301,000 unique libraries. In last year’s open source edition report, we looked at a snapshot of open source library use and security. This year, we went beyond the point-in-time snapshot to examine the dynamics of library development and how developers react to library changes, including the discovery of flaws. We also added some context and color to the data by conducting a survey of Veracode users to better understand their development practices and how they use third-party code. The report reveals that although open source libraries are the foundation of almost all software, it’s not a solid foundation, but rather a constantly evolving and shifting foundation. However, development practices don’t always adapt to the dynamic nature of these libraries, which is leaving organizations exposed. The report’s highlights include:
What appears secure today might not be tomorrow. We looked at the most popular libraries in 2019 vs. 2020, as well as the most popular libraries with known vulnerabilities in 2019 vs. 2020. Bottom line: You can add open source library use to the list of things that changed dramatically in 2020. What’s hot and what’s not, and what’s secure and what’s not, change rapidly.
Most libraries are never updated. Despite the dynamic nature of open source libraries, developers aren’t managing them quite so dynamically. In fact, 79 percent of the time, developers never update third-party libraries after including them in a codebase.
Lack of information can be a roadblock. What is preventing developers from updating vulnerable open source libraries? Our survey found that a lack of contextual information can be one roadblock. Developers who report they need more information -- for instance, understanding how a vulnerable library impacts their application -- take more than seven months just to fix 50 percent of their known flaws. On the other hand, those who feel they do have the information they need fix 50 percent of flaws in just three weeks.
When alerted to vulnerable libraries, developer can act quickly. In fact, nearly 17 percent of vulnerable libraries are fixed within an hour of the scan that alerted the developer to the vulnerability; 25 percent are fixed within seven days.
Most open source security flaws require only minor fixes. 92 percent of library flaws can be fixed with an update, and 69 percent of updates are a minor version change or less.
Learn more. Check out the full report for all the data details, plus our advice on how to use the story told by the numbers to improve your own application security program.