Research reveals where 95% of open source vulnerabilities lie

2022-12-09 05:30

New research from Endor Labs offers a view into the rampant but often unmonitored use of existing open-source software in application development and the dangers arising from this common practice.

As just one example, the research reveals that 95% of all vulnerabilities are found in transitive dependencies - open-source code packages that developers do not select, but are indirectly pulled into projects.

"In this environment, open source software is the backbone of our critical infrastructure - but even veteran developers and executives are often surprised to learn 80% of the code in modern applications comes from existing OSS," said Varun Badhwar, CEO of Endor Labs.

The vast majority of all vulnerabilities, 95%, are indeed found in transitive dependencies, making it very difficult for developers to assess the true impact of these issues or whether they're even reachable.

New does not mean secure - When upgrading to the latest version of a package, there's still a 32% chance it will have known vulnerabilities.

Reachability is the most important criteria when prioritizing; doing it based on security metrics alone or ignoring vulnerabilities in test dependencies only reduces the likelihood of a vulnerability by 20%..

News URL

https://www.helpnetsecurity.com/2022/12/09/vulnerabilities-open-source/

#opensource #research #vulnerabilities

News URL

Related news