Security News > 2021 > June > 'Set it and forget it' attitude to open-source software has become a major security problem, says Veracode
There's a minefield of security problems bubbling under the surface of modern software, Veracode has claimed in its latest report, thanks to developers pulling third-party open-source libraries into their code bases - then never bothering to update them again.
"The vast majority of today's applications use open source code. The security of a library can change quickly, so keeping a current inventory of what's in your application is crucial," Chris Eng, Vercode's chief research officer, said.
In its latest report, "State of Software Secuity v11: Open Source Edition", application testing specialist Veracode revealed that a claimed 80 per cent of included third-party libraries are never updated - and that almost all of the code repositories analysed included libraries with at least one vulnerability.
Elsewhere in the report Veracode claimed that a whopping 92 per cent of the flaws discovered in third-party libraries could be fixed by simply updating to the latest version, with two-thirds of fixes being "Minor and non-disruptive to the functionality of even the most complex software applications."
"OpenUK chief executive Amanda Brock said of the report:"We are pleased to see this detailed focus emerging, as the open-source software communities working on legal and governance have evolved over the last decade to produce a number of important tools including the Open Chain, ISO approved, standard for supply chain and the SPDX Software Bill of Material standard, currently seeking ISO approval.
"In many ways I suspect the open-source code is likely better positioned to managing security risks than our friends in the proprietary world. This is not an open-source issue, but a consequence of digitalisation and a general software issue. It will be solved through open collaboration to find the best resolutions." .
News URL
https://go.theregister.com/feed/www.theregister.com/2021/06/22/third_party_libraries_veracode/
Related news
- Open source maintainers: Key to software health and security (source)
- Osmedeus: Open-source workflow engine for offensive security (source)
- Am I Isolated: Open-source container security benchmark (source)
- ScubaGear: Open-source tool to assess Microsoft 365 configurations for security gaps (source)
- Debunking myths about open-source security (source)
- AxoSyslog: Open-source scalable security data processor (source)