According to Veracode’s annual report, 70% of mobile and desktop applications that are being used today have at least one security flaw which stems from the use of open-source library. The report, “State of Software Security,” revealed that lack of awareness about where and how open-source libraries are being used are major factors in contributing toward security issues. Open-source library is free to use centralized code repositories that provide ready-made applications for developers. These libraries are not only ubiquitous but also risky, the research stressed.
The research examined 351,000 external libraries in 85,000 applications and found that these libraries have several security bugs. Even a single bug can affect hundreds of applications. According to the report, the majority of the open-source flaws found in applications like Swift, .NET, Go, and PHP. Swift has specialized use in the Apple ecosystem and has the highest density of flaws. It also has a low percentage of flawed libraries in terms of volume while .NET has the lowest percentage of flawed libraries out of the four, and on a volume it is more than 17 times larger than Swift.
Around 47% of the flawed libraries in applications are transitive i.e. they are not pulled in directly by developers. This means that developers are introducing much more code, and often flawed code, than they might be anticipating.
Veracode also found that Go has a high percentage of libraries with flaws, but an overall low number of flaws per individual library. And PHP has a higher rate of flawed libraries than Go – but more than double the density of flaws in any given library. The report also found that cross-site scripting (XSS) is the most common vulnerability category found in open-source libraries, followed by insecure deserialization (23.5%) and broken access control (20.3%).
“Prominent in almost every application today, open-source libraries allow developers to move faster by quickly adding basic functionality. In fact, it would be nearly impossible to innovate with software without these libraries. However, lack of awareness about where and how open source libraries are being used and their risk factors is a problematic practice,” the report said.
“We found insecure deserialization was a relatively rare flaw among in-house applications. Having such a high ranking when looking at libraries is troubling as this category of flaws can result in unexpected code paths being executed, which means that portions of libraries that we are not even intending to use may be inserted into the execution path of their hosting applications through use of this flaw,” the report added.