According to the Veracode’s annual State of Software Security report, 70 percent of mobile and desktop applications being used today have at least one security flaw that is the result of the use of an open-source library.
Experts pointed out that every library could be affected by one o more issues which will be inherited from all the applications that use them.
According to Veracode’s annual State of Software Security report, almost any modern application includes open source libraries that implement functionality that would be extremely tedious to write from scratch.
The experts analyzed over 85,000 applications and related imported libraries, accounting for over 351,000 unique external libraries.
“The number of external libraries found in any given application varies quite a bit depending on the language in which the application is being developed.” reads the report.
Most of the vulnerabilities affecting the applications analyzed by the researchers were present in the Swift, .NET, Go, and PHP open-source libraries.
“But not all flaws are equal. Some security issues are relatively exotic
or difficult to exploit while others may be much more significant to
their application. It’s this sorting of the zebras from the horses to
which we now turn.” continues the report.
Swift is widely used in the Apple ecosystem, it has the highest density of vulnerabilities, but it has an overall low percentage of flawed libraries.
.NET has the lowest percentage of flawed libraries on a population that is more than 17 times larger than Swift.
Go has a high percentage of libraries with flaws, the good news is that it has an overall low number of flaws per individual library. Compared with Go, PHP has a higher rate of flawed libraries, but more double the density of flaws in a given library.
Cross-site scripting (XSS) is the most common vulnerability affecting open-source libraries, it is present in 30 percent of them. Other major issues are insecure deserialization (23.5 percent) and broken access control (20.3 percent). Insecure deserialization was a rare issue flaw among in-house applications.
“The report found that 70 percent of applications have a security flaw in an open source library on initial scan. Cross-Site Scripting is the most common vulnerability category found in open source libraries – present in 30 percent of libraries – followed by insecure deserialization (23.5 percent) and broken access control (20.3 percent).” continues the post.
Experts pointed out that addressing security vulnerabilities in open-source libraries is so difficult.
“In the good news department, addressing the security flaws in these libraries is most often not a significant job. Most library-introduced flaws (nearly 75 percent) in applications can be addressed with only a minor version update. Major library upgrades are not usually required!” concludes the report.
“This data point suggests that this problem is one of discovery and tracking, not huge refactoring of code.”
(SecurityAffairs – open-source libraries flaws, hacking)