Application security testing provider Veracode found that after an initial scan, seven out of ten applications contain a security vulnerability in an open source library. The company's new research shows how the use of open source can introduce loopholes, increase risk and increase security debt. To compile its new State of Software Security (SOSS) report: Open Source Edition, Veracode analyzed open source component libraries in its database of 85,000 applications, representing 351,000 unique external libraries. Almost all modern applications and even those that are sold commercially are built using certain open source components. However, a single flaw in a library will cascade over all applications using this code. In a press release, Veracode Research Director Chris Eng explained how the use of open source libraries can extend an application's attack surface, saying, “Open source software has a surprising variety of shortcomings. An application's attack surface is not limited to its own code and code from explicitly included libraries, as these libraries have their own dependencies. In reality, developers introduce a lot more code, but by knowing and applying fixes properly, they can reduce risk exposure. "
Open source libraries
According to Veracode, commonly included libraries are present in more than 75% of applications for each programming language. The company's research also revealed that faulty libraries are found indirectly in the code, as 47% of them found in apps are transient and not directly targeted at developers, but upstream libraries. Fortunately, however, the flaws introduced by the library in most applications can be fixed with just a minor version update, as major library updates are generally not required. However, developers cannot rely on Common Vulnerabilities and Exposures (CVEs) to understand library flaws because not all libraries have them. For example, more than 61% of faulty JavaScript libraries do not have corresponding CVEs. The report also found that some programming language ecosystems tend to attract much more transitive dependencies than others. In more than 80% of JavaScript, Ruby, and PHP applications, most libraries are transitive dependencies. Programming language selection also plays a role both in terms of the size of the ecosystem and the prevalence of failures in these ecosystems. For example, including a given PHP library has more than a 50% chance of creating a security hole. Among OWASP's top ten failures, access control weaknesses are the most common, accounting for more than 25% of all failures. Cross-Site Scripting (XSS) is the most common category of vulnerability in open source libraries (30%), followed by unsafe deserialization (23.5%) and broken access control (20), 3%).