Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Most Developers Never Update Third-Party Libraries in Their Software: Report

Most developers never update third-party libraries after including them in their software, a new report from application security company Veracode reveals.

Most developers never update third-party libraries after including them in their software, a new report from application security company Veracode reveals.

Compiled in partnership with the Cyentia Institute, Veracode’s latest State of Software Security report focuses on open source software and the manner in which developers approach the security of third-party libraries they use.

An analysis of more than 86,000 repositories containing over 300,000 unique libraries and discussions with more than 1,700 developers revealed that, although the open source landscape is constantly changing and libraries are continuously evolving, 79% of libraries are never updated after being included in software.

While some developers act quickly when learning of vulnerabilities in the libraries they use — with 25% of bugs addressed within a week — half of the security holes aren’t patched within seven months after fixes are released. This is because developers lack important information they need to take immediate action.

“When developers understand the implications of vulnerabilities and appropriately prioritize security, they can fix most flaws easily,” Veracode notes. In fact, half of vulnerabilities are addressed within three weeks when developers have the information they need.

[Also read: Library Dependencies and the Open Source Supply Chain Nightmare]

The report also discovered that the majority of vulnerabilities in third-party libraries (92%) can be patched with a single update and that 69% of the updates represent minor version changes, unlikely to break application functionality.

More than half of the surveyed developers (52.5%) have in place a formal process for library evaluation, 28.4% said they were unsure (they either have no formal process in place or are unaware of it and are ignoring it), and 19.1% admitted having no such process in place. Overall, more than 80% of the developers said they consider security when choosing to use a library.

“Developing, sharing, and following a unified policy can be difficult among large and disparate teams, likely leading to the uncertainty,” Veracode notes.

Recurrent scanning of tens of thousands of repositories has revealed that 65.0% of the libraries that appear in the first scan are never updated. Furthermore, 14% of the libraries are added after the first scan and never updated, for a total of 79% of libraries being added and forgotten.

When the analysis is restricted to repositories with relatively long lifespans and many scans, the results don’t differ by much: 73% of libraries are never updated. The report also shows that Ruby libraries are neglected the most (in 67.1% of cases), while PHP is being maintained the most (only 37.7% of PHP libraries are added and then neglected).

Another worrying fact the report brings to light is that, for roughly half of libraries that contain vulnerabilities, it may take longer than 21 months to be updated, while approximately 25% aren’t updated even after four years.

When vulnerabilities in third-party libraries come to light, some developers act quickly, the report shows. Specifically, 17% of flaws are patched within one hour and 25% within a week. However, developers take up to three months to patch 50% of vulnerable libraries and one year to address 75% of them.

For libraries that are both direct and transitive dependencies, patching may take up to 2.5 times longer. The same applies to complex vulnerabilities, such as arbitrary code execution flaws, which may take twice as much to fix compared to typical issues. Remote code execution and denial of service bugs also take longer to address.

Related: New Google Tool Helps Developers Visualize Dependencies of Open Source Projects

Related: Google Launches Database for Open Source Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Application security startup ArmorCode today announced that it has received $8 million in additional seed funding, which brings the total raised by the company...