96% of Organizations Use Open Source Libraries but Less Than 50% Manage Their Library Security Flaws

Most modern codebases are dependent on open source libraries. In fact, a recent research report sponsored by Veracode and conducted by Enterprise Strategy Group (ESG) found that more than 96 percent of organizations use open source libraries in their codebase. But – shockingly – less than half of these organizations have invested in specific security controls to scan for open source vulnerabilities.

Percentage of codebase pulled from open source

Why is it important to scan open source libraries?

For our State of Software Security: Open Source Edition report, we analyzed the security of open source libraries in 85,000 applications and found that 71 percent have a flaw. The most common open source flaws identified include Cross-Site Scripting, insecure deserialization, and broken access control. By not scanning open source libraries, these flaws remain vulnerable to a cyberattack.    

Equifax made headlines by not scanning its open source libraries. In 2017, Equifax suffered a massive data breach from Apache Struts which compromised the data – including social security numbers – of more than 143 million Americans. Following the breach, Equifax's stock fell over 13 percent. The unfortunate reality is that if Equifax performed AppSec scans on its open source libraries and patched the vulnerability, the breach could have been avoided.  

Why aren’t more organizations scanning open source libraries?

If 96 percent of organizations use open source libraries and 71 percent of applications have a third-party vulnerability, why is it that less than 50 percent of organizations scan their open source libraries? The main reason is that when application developers add third-party libraries to their codebase, they expect that library developers have scanned the code for vulnerabilities. Unfortunately, you can’t rely on library developers to keep your application safe. Approximately 42 percent of the third-party code pulled directly by an application developer has a flaw on first scan. And even if the third-party code appears to be free of flaws, more than 47 percent of third-party code has a transitive flaw that’s pulled indirectly from another library in use.

Transitive and direct open source vulnerabilities

What are your options for managing library security flaws?

First off, it’s important to note that most flaws in open source libraries are easy to fix. Close to 74 percent of the flaws can be fixed with an update like a revision or patch. Even high priority flaws are easy to fix – close to 91 percent can be fixed with an update.

patching open source flaws

So, when it comes to managing your library security flaws, the concentration should not just be, “How am I going to fix the flaws?” but also “How am I going to find the flaws?” That’s where tools like Veracode Software Composition Analysis (SCA) come in handy. Veracode SCA scans open source dependencies for known vulnerabilities and makes recommendations on version updating.

Veracode SCA is fast and easy to use. You can integrate it into your pipeline through a simple command-line scan agent and delivers results in seconds. Or, you can use the same agent directly in your IDE to get feedback even earlier.

By using a tool like SCA, you can uncover not only flaws introduced directly by the application developer, but also transitive flaws introduced indirectly by other libraries several layers deep. In addition, Veracode SCA can find more vulnerabilities than the National Vulnerability Database (NVD). How? Because not every developer reports flaws to the NVD. So Veracode is able to use data mining, natural language processing, and machine learning to significantly grow its SCA database and find new or unreported flaws.

To learn more about application scanning statistics and trends, download the ESG report, Modern Application Development Security.

Hope is part of the content team at Veracode, based in Burlington, MA. In this role, she focuses on creating engaging AppSec content for the security community.