Connect with us

Hi, what are you looking for?


Application Security

Most Developers Never Update Third-Party Libraries in Their Software: Report

Most developers never update third-party libraries after including them in their software, a new report from application security company Veracode reveals.

Most developers never update third-party libraries after including them in their software, a new report from application security company Veracode reveals.

Compiled in partnership with the Cyentia Institute, Veracode’s latest State of Software Security report focuses on open source software and the manner in which developers approach the security of third-party libraries they use.

An analysis of more than 86,000 repositories containing over 300,000 unique libraries and discussions with more than 1,700 developers revealed that, although the open source landscape is constantly changing and libraries are continuously evolving, 79% of libraries are never updated after being included in software.

While some developers act quickly when learning of vulnerabilities in the libraries they use — with 25% of bugs addressed within a week — half of the security holes aren’t patched within seven months after fixes are released. This is because developers lack important information they need to take immediate action.

“When developers understand the implications of vulnerabilities and appropriately prioritize security, they can fix most flaws easily,” Veracode notes. In fact, half of vulnerabilities are addressed within three weeks when developers have the information they need.

[Also read: Library Dependencies and the Open Source Supply Chain Nightmare]

The report also discovered that the majority of vulnerabilities in third-party libraries (92%) can be patched with a single update and that 69% of the updates represent minor version changes, unlikely to break application functionality.

More than half of the surveyed developers (52.5%) have in place a formal process for library evaluation, 28.4% said they were unsure (they either have no formal process in place or are unaware of it and are ignoring it), and 19.1% admitted having no such process in place. Overall, more than 80% of the developers said they consider security when choosing to use a library.

Advertisement. Scroll to continue reading.

“Developing, sharing, and following a unified policy can be difficult among large and disparate teams, likely leading to the uncertainty,” Veracode notes.

Recurrent scanning of tens of thousands of repositories has revealed that 65.0% of the libraries that appear in the first scan are never updated. Furthermore, 14% of the libraries are added after the first scan and never updated, for a total of 79% of libraries being added and forgotten.

When the analysis is restricted to repositories with relatively long lifespans and many scans, the results don’t differ by much: 73% of libraries are never updated. The report also shows that Ruby libraries are neglected the most (in 67.1% of cases), while PHP is being maintained the most (only 37.7% of PHP libraries are added and then neglected).

Another worrying fact the report brings to light is that, for roughly half of libraries that contain vulnerabilities, it may take longer than 21 months to be updated, while approximately 25% aren’t updated even after four years.

When vulnerabilities in third-party libraries come to light, some developers act quickly, the report shows. Specifically, 17% of flaws are patched within one hour and 25% within a week. However, developers take up to three months to patch 50% of vulnerable libraries and one year to address 75% of them.

For libraries that are both direct and transitive dependencies, patching may take up to 2.5 times longer. The same applies to complex vulnerabilities, such as arbitrary code execution flaws, which may take twice as much to fix compared to typical issues. Remote code execution and denial of service bugs also take longer to address.

Related: New Google Tool Helps Developers Visualize Dependencies of Open Source Projects

Related: Google Launches Database for Open Source Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.