Open source libraries a big source of application security flaws

How many vulnerabilities lurk inside the bazillions of open source libraries that today’s developers happily borrow to build their applications?

Predictably, the answer is a lot, at least according to application security company Veracode which decided to scan 85,000 applications to see how many flaws it could turn up in the 351,000 libraries used by them.

All told, around seven in ten applications had a security vulnerability traceable to one or more of those libraries, which might come as a shock to the developers who thought they were getting something for free.

But as the company’s State of Software Security (SOSS): Open Source Edition aptly puts it:

That free puppy that you adopt still needs to be fed, walked, and taken to the vet.

However, how much ‘walking’ application users will end up doing varies considerably depending on the language used to create it, with JavaScript software using the most open source libraries – over 1,000 in some cases.

At the other end of the scale was Python, using a hundredth the number of libraries as JavaScript applications, with .NET, Java, and Ruby somewhere in between.

When it came to flaws in the libraries themselves, the greatest density was found in PHP and Swift, the latter a specialised language used in Apple development. Again, despite the size of .NET, it had the lowest percentage of flaws of any library.

Nearly 30% of flaws were Cross-Site Scripting (XSS), with PHP (27.1%), Java (15.7%), and .NET (14.2%) manifesting the highest number of public proof-of-concept exploits. The equivalent figure for JavaScript was only 6.5%.

Importantly, many flaws are never assigned a Common Vulnerabilities and Exposures (CVE) ID, with six out of ten JavaScript vulnerabilities falling into this category.

That means developers can’t just add up CVEs to get some idea of which libraries and languages represent the biggest risk.

Nevertheless, this analysis suggests that if a generalisation can be made it’s that Java, JavaScript and Python are the library languages that cause flaw counts in applications to rise.

So how might developers counter flaws in libraries?

The good news is that three quarters can be fixed with a minor “non-breaking” update that can be implemented to the library without causing wider disruption to the application – this held true even for almost all the most concerning one percent of flaws that might be being actively exploited.

Veracode chief research officer Chris Eng commented:

Open source software has a surprising variety of flaws. An application’s attack surface is not limited to its own code and the code of explicitly included libraries, because those libraries have their own dependencies.

But as long as developers realise this and apply fixes, they can reduce the risk.

There’s also the issue of how many people are out there looking for flaws on everyone else’s behalf. Right now, that’s become a popular pastime, with at least one recent report finding that the number of flaws in open source software reached a record 6,000 in 2019.

Open source libraries have become a ubiquitous part of software development. Flushed by the success of this, the next battle is to make sure that doesn’t create problems for the near future.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.