Veracode: 79% of devs don’t update third-party libraries in their code

Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

The Veracode State of Software Security (SoSS) v11: Open Source Edition found that 79% of the time, third-party libraries are never updated by developers after being included in a codebase. This edition of SoSS focuses on open source applications and components — and based on the analysis of 13 million scans of more than 86,000 repositories containing more than 301,000 unique libraries. The analysis also includes survey results on the use of third-party software from nearly 2,000 developers.

Above: The Veracode SoSS v11: Open Source Edition found that 79% of developers never update third-party libraries after included in a codebase. Most of the issues can be addressed as minor fixes.

Image Credit: Veracode

The libraries are not updated despite the fact that more than two-thirds of fixes are considered minor and non-disruptive to the application’s overall functionality. Further, 92% of open source library flaws can be fixed with an update, and 69% of updates are only a minor version change or smaller. Open source libraries constantly evolve, so what appears secure today may no longer be so tomorrow, potentially creating a significant security risk for software vendors and users.

The good news is that developers typically respond quickly once they learn about vulnerable libraries in the codebase. Nearly 17 percent of vulnerable libraries are fixed within an hour of the developer discovering a library with a vulnerability, and 25 percent are fixed within seven days, Veracode said.

Focusing on the open source libraries in codebases today, how organizations are managing the security of these libraries, fluctuations in library popularity and vulnerability year over year, and best practices on using open source code securely, the research also finds that only 52% of developers surveyed have a formal process for selecting third-party libraries, while more than a quarter are either unsure -– or even unaware –- if there is a formal process in place. Additionally, developers rated “Security” only the third most important consideration when selecting a library, while “Functionality” and “Licensing” took the first and second spots respectively.

Since nearly all modern applications are built using third-party open source software, a single flaw or adjustment in one library can cascade into all applications using that code, meaning that constant changes in library popularity, vulnerability, and updates have a direct impact on software security.

Read the full Veracode SoSS v11: Open Source Edition.