Most third-party libraries are never updated after being included in a codebase

2021-06-24 05:00

79% percent of the time, third-party libraries are never updated by developers after being included in a codebase - despite the fact that more than two thirds of fixes are minor and non-disruptive to the functionality of even the most complex software applications, Veracode research reveals.

Open source libraries constantly evolve so what appears secure today may no longer be so tomorrow, potentially creating a significant security risk for software vendors and users.

Since nearly all modern applications are built using third-party open source software, a single flaw or adjustment in one library can cascade into all applications using that code, meaning these constant changes have a direct impact on software security.

Despite the dynamic nature of the software landscape, developers are often not updating open source libraries after including them in software applications.

Moving forward, software vendors selling to the Federal Government will be required to disclose the composition of their software and ensure that software applications have gone through automated testing.

Chris Wysopal, CTO at Veracode, said, "As the Executive Order continues to take shape, anyone developing software should ensure they are scanning their software early and often in the development lifecycle. The growing popularity of open source software, combined with increasingly demanding development cycles, results in a higher propensity to software vulnerabilities. Scanning earlier in the process significantly reduces the risk profile, and most fixes are minor so will not impact the functionality of even the most complex software."

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/_HRvYAUYBzo/

#libraries