Open source software can be a security time bomb for businesses

Developers
(Image credit: Shutterstock)

A majority of developers never update third-party open source libraries after including them in a codebase, a new report has found.

Compiled by app security firm Veracode, the report is based on an analysis of 13 million scans of more than 86,000 repositories, with a total of over 301,000 unique open source libraries.

Based on its analysis, Veracode discovered almost all the scanned repositories include libraries with at least one vulnerability. 

“The security of a library can change quickly, so keeping a current inventory of what’s in your application is crucial. We found that once developers pick a library, they rarely update it. With vendors facing increasing scrutiny around the security of their supply chain, there is simply no way to justify a ‘set it and forget it’ mentality,” said Chris Eng, Chief Research Officer at Veracode.

Software bill-of-materials

Veracode argues that since nearly all modern applications are built using third-party open source software, a single flaw in one library can quickly cascade into all apps using that code.

The report reveals that a good majority (92%) of flaws in the open source libraries can be fixed with an update, with most of them (69%) being only a minor update.

Furthermore, even when an update results in additional updates, nearly two-thirds of these will be only a minor version change and are unlikely to break functionality of even the most complex applications.

The revelations in the report give color to the recent US presidential order that mandates a software bill-of-materials (SBOM) from vendors supplying software solutions to US government agencies, to ensure the entire codebase is secure.

Eng stresses that it’s vital that developers keep the libraries up-to-date and respond quickly to new vulnerabilities as they’re discovered to ensure security throughout the software supply chain.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
Holographic representation of cloud computing over open businessman's hand
Businesses are struggling to address vulnerabilities hidden in phantom dependencies
coding
Popular open source vulnerability scanner Nuclei forced to patch worrying security flaw
Security
Removing software supply chain blind spots that put public sector organizations at risk
API
Businesses are being plagued by API security risks - with nearly 99% affected
Hacker Typing
Racing against time on a menacing caldera: survey finds majority of organizations take days to tackle critical vulnerabilities, each of them a potential open goal for cybercriminals
Cyber-security
Empowering developers with cutting-edge security training
Latest in Security
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Biometrics add another layer of security to passwordless authentication
Data leak
Hacked Tata Technologies data leaked by ransomware gang
Latest in News
Google Gemini Flash 2.0 Images
I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's Flash 2.0
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung Galaxy S26 Ultra could resurrect an intriguing camera feature
Eurocom Raptor X18
At $15,000, this massive 256GB RAM laptop makes Apple's MacBook Pro look affordable, tiny and very, very slow
Cristin Milioti in Black Mirror season 7
Netflix launches trailer for Black Mirror season 7, giving us a look at its first-ever sequel episode and an unexpected returning character
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A close up of The Daily podcast from Pocket Casts' web page
‘Podcasting shouldn’t be locked behind walled gardens’: Pocket Casts slams Spotify and makes its web player free to all