Security News > 2021 > April > Library Dependencies and the Open Source Supply Chain Nightmare
DOWNSTREAM ISSUES. The result is that under-resourced teams need to manage vulnerabilities that may or may not be relevant within hundreds of libraries, possibly within many different apps, and always with the possibility that library updates may cause further downstream issues.
"Failure to keep libraries updated over time not only increases risk to an organization but also makes library updates much more difficult and time-consuming when they are finally done. When a library stays dormant in an application for multiple years, any new vulnerability is difficult to fix because so much code has been built over it."
"It's a devil's bargain," Contrast's co-founder and CTO Jeff Williams told SecurityWeek, "Because the farther you get behind, the harder it is to get back up to date. So, you accrue technical debt if you don't keep your libraries patched. But commercial companies are focused on rolling out new features and they don't want to do those library updates if they don't absolutely have to."
"All of the apps we now love and depend on - online banking, shopping, healthcare, defense, government and so on - use these libraries. If a library contains a vulnerability and is used by the app, that vulnerability becomes part of the app and can be attacked."
The first is via a discovered vulnerability as in the Equifax breach, while the second is by introducing a vulnerability into the library source.
A vulnerability introduced into this library - or merely discovered within it - will be included in all apps using the library making all the companies using the finished product vulnerable.