Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Most Developers Never Update Third-Party Libraries in Their Software: Report

Most developers never update third-party libraries after including them in their software, a new report from application security company Veracode reveals.

Most developers never update third-party libraries after including them in their software, a new report from application security company Veracode reveals.

Compiled in partnership with the Cyentia Institute, Veracode’s latest State of Software Security report focuses on open source software and the manner in which developers approach the security of third-party libraries they use.

An analysis of more than 86,000 repositories containing over 300,000 unique libraries and discussions with more than 1,700 developers revealed that, although the open source landscape is constantly changing and libraries are continuously evolving, 79% of libraries are never updated after being included in software.

While some developers act quickly when learning of vulnerabilities in the libraries they use — with 25% of bugs addressed within a week — half of the security holes aren’t patched within seven months after fixes are released. This is because developers lack important information they need to take immediate action.

“When developers understand the implications of vulnerabilities and appropriately prioritize security, they can fix most flaws easily,” Veracode notes. In fact, half of vulnerabilities are addressed within three weeks when developers have the information they need.

[Also read: Library Dependencies and the Open Source Supply Chain Nightmare]

The report also discovered that the majority of vulnerabilities in third-party libraries (92%) can be patched with a single update and that 69% of the updates represent minor version changes, unlikely to break application functionality.

More than half of the surveyed developers (52.5%) have in place a formal process for library evaluation, 28.4% said they were unsure (they either have no formal process in place or are unaware of it and are ignoring it), and 19.1% admitted having no such process in place. Overall, more than 80% of the developers said they consider security when choosing to use a library.

Advertisement. Scroll to continue reading.

“Developing, sharing, and following a unified policy can be difficult among large and disparate teams, likely leading to the uncertainty,” Veracode notes.

Recurrent scanning of tens of thousands of repositories has revealed that 65.0% of the libraries that appear in the first scan are never updated. Furthermore, 14% of the libraries are added after the first scan and never updated, for a total of 79% of libraries being added and forgotten.

When the analysis is restricted to repositories with relatively long lifespans and many scans, the results don’t differ by much: 73% of libraries are never updated. The report also shows that Ruby libraries are neglected the most (in 67.1% of cases), while PHP is being maintained the most (only 37.7% of PHP libraries are added and then neglected).

Another worrying fact the report brings to light is that, for roughly half of libraries that contain vulnerabilities, it may take longer than 21 months to be updated, while approximately 25% aren’t updated even after four years.

When vulnerabilities in third-party libraries come to light, some developers act quickly, the report shows. Specifically, 17% of flaws are patched within one hour and 25% within a week. However, developers take up to three months to patch 50% of vulnerable libraries and one year to address 75% of them.

For libraries that are both direct and transitive dependencies, patching may take up to 2.5 times longer. The same applies to complex vulnerabilities, such as arbitrary code execution flaws, which may take twice as much to fix compared to typical issues. Remote code execution and denial of service bugs also take longer to address.

Related: New Google Tool Helps Developers Visualize Dependencies of Open Source Projects

Related: Google Launches Database for Open Source Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jason Hogg has been named Executive Chairman of CYPFER.

HUB Cyber Security has appointed former PayPal and American Express executive Paul Parisi as its Global Chief Revenue Officer.

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.