New research from Veracode found that most applications use
open-source libraries that also present vulnerabilities, but the distribution
of such libraries depends on the programming languages used.
Open-source libraries are ubiquitous, but they are not
limited to integration into open-source apps. In fact, most available apps contain
open source libraries, even if they are from private companies and are sold as
proprietary.
Not all libraries are used in equal proportions, but usage
varies depending on the existing ecosystem. For example, the Veracode research
shows that the JavaScript applications investigated have hundreds of
dependencies, with some app reaching 1,000 different libraries. The researchers
looked at 351,000 unique libraries across all major programming languages.
“Many languages have libraries that are almost a given
for inclusion in an application. JavaScript and Python, in particular, have
several core libraries that are likely to be in use for any given application,”
according to the Veracode research.
The researchers didn’t just look at the prevalence of some
dependencies, but at how safe they actually are. One method is to check which
one of the existing libraries already has exploits with public proof-of-concept
demonstrations.
PHP takes first place, as 27% of its flawed libraries
also have published exploit code. Java follows with 15.7%, and .NET with 14.2%.
Equally interesting is that not all vulnerable libraries have attached CVEs,
which means there’s no effort to fix their flaws.
The research also shows that 71% of the 85,000 apps investigated
include libraries with flaws. Moreover, almost all scanned applications have an
unfixed flaw in an external library. Fortunately, it looks like most of the
fixes needed are minor and would not break functionality in the apps using
them, with 73.8% of the libraries needing only a small update.
The good news that comes out of the research is that over
90 % of the highest priority security flaws have a fix available to them today.