Home » » Open source software can be a security time bomb for businesses

Open source software can be a security time bomb for businesses

No comments

A majority of developers never update third-party open source libraries after including them in a codebase, a new report has found.

Compiled by app security firm Veracode, the report is based on an analysis of 13 million scans of more than 86,000 repositories, with a total of over 301,000 unique open source libraries.

Based on its analysis, Veracode discovered almost all the scanned repositories include libraries with at least one vulnerability. 

“The security of a library can change quickly, so keeping a current inventory of what’s in your application is crucial. We found that once developers pick a library, they rarely update it. With vendors facing increasing scrutiny around the security of their supply chain, there is simply no way to justify a ‘set it and forget it’ mentality,” said Chris Eng, Chief Research Officer at Veracode.

Software bill-of-materials

Veracode argues that since nearly all modern applications are built using third-party open source software, a single flaw in one library can quickly cascade into all apps using that code.

The report reveals that a good majority (92%) of flaws in the open source libraries can be fixed with an update, with most of them (69%) being only a minor update.

Furthermore, even when an update results in additional updates, nearly two-thirds of these will be only a minor version change and are unlikely to break functionality of even the most complex applications.

The revelations in the report give color to the recent US presidential order that mandates a software bill-of-materials (SBOM) from vendors supplying software solutions to US government agencies, to ensure the entire codebase is secure.

Eng stresses that it’s vital that developers keep the libraries up-to-date and respond quickly to new vulnerabilities as they’re discovered to ensure security throughout the software supply chain.



from TechRadar - All the latest technology news https://ift.tt/3vQgAp9
Share:

No comments:

Post a Comment

Categories

Rove Reviews Youtube Channel

  1. Subscribe to our youtube channel
  2. Like our videos and share them too.
  3. Our youtube channel name Rove reviews.

WITNUX

This website is made by Witnux LLC. This website provides you with all the news feeds related to technology from large tech media industries like GSM Arena, NDTV, Gadgets 360, Firstpost and many other such ates altogether at technical depicts so that you need not go to several sites to view their post provide you advantantage of time.

From the developer
Tanzeel Sarwar

OUR OTHER NETWORKS

OUR YOUTUBE CHANNEL

ROVE REVIEWS PLEASE SUBSCRIBE

OUR FACEBOOK PAGE

The Rove Reviews

Support

Trying our best to provide you the best DONATE or SUPPORTour site Contact me with details how are you gonna help us