Most Developers Never Update Third-Party Libraries in Their Software: Report

Most developers never update third-party libraries after including them in their software, a new report from application security company Veracode reveals.

Compiled in partnership with the Cyentia Institute, Veracode’s latest State of Software Security report focuses on open source software and the manner in which developers approach the security of third-party libraries they use.

An analysis of more than 86,000 repositories containing over 300,000 unique libraries and discussions with more than 1,700 developers revealed that, although the open source landscape is constantly changing and libraries are continuously evolving, 79% of libraries are never updated after being included in software.

While some developers act quickly when learning of vulnerabilities in the libraries they use -- with 25% of bugs addressed within a week -- half of the security holes aren’t patched within seven months after fixes are released. This is because developers lack important information they need to take immediate action.

“When developers understand the implications of vulnerabilities and appropriately prioritize security, they can fix most flaws easily,” Veracode notes. In fact, half of vulnerabilities are addressed within three weeks when developers have the information they need.

[Also read: Library Dependencies and the Open Source Supply Chain Nightmare]

The report also discovered that the majority of vulnerabilities in third-party libraries (92%) can be patched with a single update and that 69% of the updates represent minor version changes, unlikely to break application functionality.

More than half of the surveyed developers (52.5%) have in place a formal process for library evaluation, 28.4% said they were unsure (they either have no formal process in place or are unaware of it and are ignoring it), and 19.1 ..

Support the originator by clicking the read the rest link below.