Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

End of Bibblio RCM includes -->

Dependency Problems Increase for Open Source Components

The number of components in the average application rose 77% over two years. No wonder, then, that 84% of codebases have at least one vulnerability.

The average software application depends on more than 500 open source libraries and components, up 77% from 298 dependencies in two years, highlighting the difficulty of tracking the vulnerabilities in every software component, according to a new report from software management firm Synopsys. 

In its "Open Source Security and Risk Analysis" (OSSRA) report, the company states it found that 98% of applications used open source and that open source libraries and components made up more than 75% of the code in the average software application. Most applications, 84%, had at least one vulnerability — the typical application had 158 vulnerabilities — and 60% of applications had at least one high-severity issue.

Related Content:

Vulnerabilities Declining in Open Source, but Slow Patching Still a Problem

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

The data underscores that modern software applications have a dependency problem, says Tim Mackey, principal security strategist with Synopsys.

"We need to find a way to get [unpatched vulnerabilities] under control because we are headed in the wrong direction," he says. "This sort of complexity breeds fragility because complexity means that the developer teams don't necessarily have an understanding of the way that code is behaving today, and whenever that happens, then there might be corner cases where they might get bit."

Open source dependencies have become an increasing problem, especially for JavaScript application frameworks, which — because of the language's approach to software architecture — tend to rely on an order of magnitude more components. In an analysis of more than 45,000 active repositories last year, for example, GitHub found that while the average JavaScript application has 10 direct dependencies, those components rely on other libraries, which results in a tree of dependencies that grows to a massive 683 separate codebases. PHP applications typically have 70 dependencies and Ruby has 68, according to the GitHub report.

Synopsys found a similar number of dependencies. While the company did not break out the numbers by language or platform, the average application audited by the firm had 528 dependencies, according to Mackey. 

"To fix an open source vulnerability, you first have to know the vulnerability is there," the company states in the OSSRA report. "Pinpointing vulnerable open source depends on identifying and inventorying all open source you're using."

The data, which comes from the nearly 1,548 applications scanned by Synopsys in 2020, also shows that older vulnerabilities continue to be a problem. Of the top-10 high-risk vulnerabilities found in open source components, only two are from 2020 — one is from 2019, three were disclosed in 2018, and the rest were disclosed more than three years ago.

The problem is that most companies don't have visibility into the long chains of dependencies that many of the applications have, Mackey says.

"When people scan for vulnerabilities, they may only be seeing that top-level dependency version, and not realizing all the other libraries that are getting imported in," he says.

In addition, many of the open source projects in use have not been updated — or patched — in some time. More than 90% of the applications had at least one open source component that had not been updated in the last two years, according the report.

Overall, the company found that 84% of applications have at least one vulnerability, up from 60% two years ago. Applications in the marketing-technology sector were most likely to have a vulnerability, with more than 95% of audited applications having a vulnerability in their open source components. The energy sector, retail and e-commerce sector, healthcare, and Internet of Things manufacturers all had vulnerability likelihoods between 65% and 80%.

The solution to the problem of extended chains of open source dependencies is not simple. Companies could try to track the dependencies, either manually — which will have scale issues — or through an automated service. However, much of the issue will depend on the maintainers of the particular open source projects included in the application code. For that reason, generating and analyzing the software bill of materials as soon as possible has become increasingly important.

"I think it really boils down to, as people are adopting open source components, that they need to make certain that they have the processes in place to keep them up to date," Mackey says. "They have to make the adoption phase more rigorous than just a developer going onto the Internet and downloading the component."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1172
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
CVE-2023-1469
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
CVE-2023-1466
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
CVE-2023-1467
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
CVE-2023-1468
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...