Security News > 2021 > June > Most Developers Never Update Third-Party Libraries in Their Software: Report
Most developers never update third-party libraries after including them in their software, a new report from application security company Veracode reveals.
Compiled in partnership with the Cyentia Institute, Veracode's latest State of Software Security report focuses on open source software and the manner in which developers approach the security of third-party libraries they use.
An analysis of more than 86,000 repositories containing over 300,000 unique libraries and discussions with more than 1,700 developers revealed that, although the open source landscape is constantly changing and libraries are continuously evolving, 79% of libraries are never updated after being included in software.
The report also discovered that the majority of vulnerabilities in third-party libraries can be patched with a single update and that 69% of the updates represent minor version changes, unlikely to break application functionality.
14% of the libraries are added after the first scan and never updated, for a total of 79% of libraries being added and forgotten.
When vulnerabilities in third-party libraries come to light, some developers act quickly, the report shows.