Businesses are struggling to address vulnerabilities hidden in phantom dependencies

Holographic representation of cloud computing over open businessman's hand

(Image credit: Shutterstock)

Hidden dependencies pose unseen risks in modern software systems, says report
Function-level analysis slashes unnecessary vulnerability fixes by 90%
Advisory delays leave systems exposed to potential exploitations

As organizations increasingly rely on third-party components and open source libraries to accelerate development processes, experts have warned addressing the security risks associated with these dependencies has become a significant priority.

Endor Labs' 2024 Dependency Management Report explores the evolving challenges in managing software dependencies and vulnerabilities, and analysis of seven programming languages (Java, Python, Rust, Go, C#, .NET, Kotlin, and Scala) found fewer than 9.5% of vulnerabilities in 2024 were considered 'real threats'.

“A lot of organizations are struggling with managing dependency risks," noted Darren Meyer, staff research engineer at Endor Labs. "They're drowning in vulnerability alerts, many of which don't represent relevant risk; researching the alerts is expensive for security teams (and software teams), and trying to fix everything is even more expensive."

Dependency management

Managing dependencies is not a simple task as most software projects rely on multiple layers of dependencies, including first-party code libraries, frameworks, and operational dependencies that support production environments, creating a web of interconnected components - and any vulnerability within this web could expose an organization to significant security risks.

The use of third-party components, particularly open source software, is a common practice in modern software development because it reduces the time developers need to spend writing foundational code, offering pre-built functionalities that accelerate development cycles - but also brings unique security challenges due to vulnerabilities in these external components.

Many security issues stem from "phantom dependencies," or hidden components that are not explicitly documented in the software’s code, and can introduce vulnerabilities that traditional tools fail to detect.

These vulnerabilities aren't helped by the fact that nearly 70% of advisories issued by vulnerability management platforms, such as NIST's NVD, are published after the corresponding security patch is released, with a median delay of 25 days.

Endor also claims that almost half of the advisories in public vulnerability databases lack code-level details, while only 2% provide function-specific vulnerability information, making it difficult for security teams to determine whether known vulnerabilities can be exploited in their applications.

In addition, Endor analysis from 1,250 updates from vulnerable to non-vulnerable versions shows that 24% of fixes require a major version update while 6% of vulnerabilities could be fixed with minor or patch-level updates.

Endor therefore argues that not all vulnerabilities pose the same level of risk, with organizations being advised to focus on the most reachable and exploitable vulnerabilities, as only about 9.5% of vulnerabilities in dependencies are exploitable at the function level.

Reachability analysis, which determines whether a vulnerable function in a dependency is called by the application’s code, emerges as one of the most effective methods for reducing the noise in vulnerability reporting. By focusing on vulnerabilities that have a clear path to being exploited, organizations can reduce their remediation efforts by nearly 90%, according to the report.