BURLINGTON, Mass., May 19, 2020 (GLOBE NEWSWIRE) -- Veracode, the largest independent global provider of application security testing (AST) solutions, today released new research that finds seven in 10 applications have a security flaw in an open source library on initial scan, highlighting how use of open source can introduce flaws, increase risk, and add to security debt.

The Veracode State of Software Security (SOSS): Open Source Edition analyzed the component open source libraries across the Veracode platform database of 85,000 applications, accounting for 351,000 unique external libraries. Nearly all modern applications, including those sold commercially, are built using some open source components. A single flaw in one library can cascade to all applications that leverage that code. According to Chris Eng, Chief Research Officer at Veracode, “Open source software has a surprising variety of flaws. An application’s attack surface is not limited to its own code and the code of explicitly included libraries, because those libraries have their own dependencies. In reality, developers are introducing much more code, but if they are aware and apply fixes appropriately, they can reduce risk exposure.”

Key findings include:

Open source libraries are ubiquitous and pose risks — but fixes are available

The most commonly included libraries are present in over 75% of applications for each language.
Most flawed libraries end up in code indirectly: 47% of those flawed libraries in applications are transitive – in other words, not pulled in directly by developers, but are being pulled in by upstream libraries. Library-introduced flaws in most applications can be fixed with only a minor version update; major library upgrades are not usually required.
Not all libraries have Common Vulnerabilities and Exposures (CVEs) - this means developers can’t rely only on CVEs to understand library flaws. For example, more than 61% of flawed libraries in JavaScript contain vulnerabilities without corresponding CVEs.

Language makes a difference

Click here to download Veracode’s State of Software Security: Open Source Edition and click here to learn more about Veracode Software Composition Analysis.

About Veracode

Veracode is the leading independent AppSec partner for creating secure software, reducing the risk of security breach, and increasing security and development teams’ productivity. As a result, companies using Veracode can move their business, and the world, forward. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps companies get accurate and reliable results to focus their efforts on fixing, not just finding, potential vulnerabilities.

Veracode serves more than 2,500 customers worldwide across a wide range of industries. The Veracode solution has assessed more than 15 trillion lines of code and helped companies fix more than 51 million security flaws.

Learn more at www.veracode.com, on the Veracode blog, and on Twitter.

Veracode:
Pete Daly, Veracode
339-234-0178
pdaly@veracode.com
Related Links
thomabravo.com
veracode.com

New Research Reveals That 70% of Applications Have Open Source Security Flaws

Veracode’s State of Software Security: Open Source Edition examines the cascading effect of flaws in open source libraries widely used to create applications

Related Articles

More articles issued by Veracode

More articles related to:

Research Analysis and Reports