Most Third Party Libraries Never Updated After Included in a Codebase

Okay, you are probably tired of hearing me rant about software supply chain but it is a huge source of hacks. Big hacks like SolarWinds and Microsoft Exchange, but mostly small hacks that we never figure out what the source is.

Reseachers looked at what developers actually do.

The analyzed 13 million scans of 86,000 code repositories containing more than 300,000 unique libraries and also asked a couple of thousand developers what they did.

If developers have accurate vulnerability information, they have fixed 17% of flaws in an hour and 25% within a week.

92 percent of open source flaws can be fixed with an update and 60 percent of those updates are minor.

Most of the time the updates are minor and unlikely to break things.

Only half of the developers said that they had a formal process for selecting third party libraries and more than a quarter had no idea if they did or not.

The security of libraries ranks third in selection – after functionality and cost. That is probably okay if third doesn’t mean “whatever”.

As the executive order on cybersecurity gets fleshed out, expect more attention from companies on the subject – because if they don’t then they will not be able to sell their software to the government or even use particular open source software at all.

For some companies it will become best practice and if you don’t have the ability to track and maintain libraries, they will find a vendor who will. This is independent of whether they sell to the government or not.

Credit: Help Net Security

by