Most Developers Never Update Third-Party Libraries in Their Software: Report

Most developers never update third-party libraries after including them in their software, a new report from application security company Veracode reveals.

Compiled in partnership with the Cyentia Institute, Veracode’s latest State of Software Security report focuses on open source software and the manner in which developers approach the security of third-party libraries they use.

An analysis of more than 86,000 repositories containing over 300,000 unique libraries and discussions with more than 1,700 developers revealed that, although the open source landscape is constantly changing and libraries are continuously evolving, 79% of libraries are never updated after being included in software.

While some developers act quickly when learning of vulnerabilities in the libraries they use — with 25% of bugs addressed within a week — half of the security holes aren’t patched within seven months after fixes are released. This is because developers lack important information they need to take immediate action.

“When developers understand the implications of vulnerabilities and appropriately prioritize security, they can fix most flaws easily,” Veracode notes. In fact, half of vulnerabilities are addressed within three weeks when developers have the information they need.

[Also read: Library Dependencies and the Open Source Supply Chain Nightmare]

The report also discovered that the majority of vulnerabilities in third-party libraries (92%) can be patched with a single update and that 69% of the updates represent minor version changes, unlikely to break application functionality.

More than half of the surveyed developers (52.5%) have in place a formal process for library evaluation, 28.4% said they were unsure (they either have no formal process in place or are unaware of it and are ignoring it), and 19.1% admitted having no such process in place. Overall, more than 80% of the developers said they consider security when choosing to use a library.

“Developing, sharing, and following a unified policy can be difficult among large and disparate teams, likely leading to the uncertainty,” Veracode notes.

Recurrent scanning of tens of thousands of repositories has revealed that 65.0% of the libraries that appear in the first scan are never updated. Furthermore, 14% of the libraries are added after the first scan and never updated, for a total of 79% of libraries being added and forgotten.

When the analysis is restricted to repositories with relatively long lifespans and many scans, the results don’t differ by much: 73% of libraries are never updated. The report also shows that Ruby libraries are neglected the most (in 67.1% of cases), while PHP is being maintained the most (only 37.7% of PHP libraries are added and then neglected).

Another worrying fact the report brings to light is that, for roughly half of libraries that contain vulnerabilities, it may take longer than 21 months to be updated, while approximately 25% aren’t updated even after four years.

When vulnerabilities in third-party libraries come to light, some developers act quickly, the report shows. Specifically, 17% of flaws are patched within one hour and 25% within a week. However, developers take up to three months to patch 50% of vulnerable libraries and one year to address 75% of them.

For libraries that are both direct and transitive dependencies, patching may take up to 2.5 times longer. The same applies to complex vulnerabilities, such as arbitrary code execution flaws, which may take twice as much to fix compared to typical issues. Remote code execution and denial of service bugs also take longer to address.

Related: New Google Tool Helps Developers Visualize Dependencies of Open Source Projects

Related: Google Launches Database for Open Source Vulnerabilities