How many vulnerabilities lurk inside the bazillions of open source libraries that today’s developers happily borrow to build their applications?
Predictably, the answer is a lot, at least according to application security company Veracode which decided to scan 85,000 applications to see how many flaws it could turn up in the 351,000 libraries used by them.
All told, around seven in ten applications had a security vulnerability traceable to one or more of those libraries, which might come as a shock to the developers who thought they were getting something for free.
But as the company’s State of Software Security (SOSS): Open Source Edition aptly puts it:
That free puppy that you adopt still needs to be fed, walked, and taken to the vet.
When it came to flaws in the libraries themselves, the greatest density was found in PHP and Swift, the latter a specialised language used in Apple development. Again, despite the size of .NET, it had the lowest percentage of flaws of any library.
That means developers can’t just add up CVEs to get some idea of which libraries and languages represent the biggest risk.
So how might developers counter flaws in libraries?
The good news is that three quarters can be fixed with a minor “non-breaking” update that can be implemented to the library without causing wider disruption to the application – this held true even for almost all the most concerning one percent of flaws that might be being actively exploited.
Veracode chief research officer Chris Eng commented:
Open source software has a surprising variety of flaws. An application’s attack surface is not limited to its own code and the code of explicitly included libraries, because those libraries have their own dependencies.
But as long as developers realise this and apply fixes, they can reduce the risk.
There’s also the issue of how many people are out there looking for flaws on everyone else’s behalf. Right now, that’s become a popular pastime, with at least one recent report finding that the number of flaws in open source software reached a record 6,000 in 2019.
Open source libraries have become a ubiquitous part of software development. Flushed by the success of this, the next battle is to make sure that doesn’t create problems for the near future.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.