Comment on the SoSS Report 11 of Veracode Open Source Libraries need a security update
16.12.2021A guest article by Julian Totzek-Hallhuber *
Open source stands for fast and flexible change, but progress must not open the floodgates to cybercriminals and security vulnerabilities. The open source edition of the “State of Security” report provides an insight into the security of open source libraries.
Related companies
Security must be a top priority when developers choose their open source libraries.
(© chinnarach – stock.adobe.com)
In the course of the ongoing digital transformation, but also in the field of software development, open source libraries are becoming more and more in focus. The Federal Ministry of the Interior, Building and Community, together with the states of North Rhine-Westphalia and Baden-Württemberg, is testing a platform for the development of open source software for public administration. The goal: to expand digital sovereignty and develop software across countries.
An open source app that is already being used nationwide is the Corona-Warn-App. There was an outcry here at the beginning of July, as external parties had succeeded in recreating a QR code and thus falsifying a vaccination certificate for the long-deceased Robert Koch. Consequently, the security of the software components of the application, which are fully publicly accessible under an Apache license, has been called into question.
The starting point in this case was not a “real” programming error, which caused a vulnerability, but a logical error in the app. Nevertheless, the incident made it clear that the integration of software security must be more controlled and the processes must be improved.
SoSS v11: Open Source Edition
The current Veracode report provides an overview of the security of open source libaries. For the SoSS v11: Open Source Edition, 13 million scans of more than 86,000 repositories with more than 301,000 libraries were analyzed. For a comprehensive insight into the security of open source libraries, and to get an overview of various ways of working, almost 2,000 developers were also surveyed.
At the heart of the findings is change: nothing is as certain as the change in the field of open source libraries. On the one hand, the preferred libraries vary enormously within the respective programming languages. While at .NET (Newtonsoft.Json), JavaScript (inherits), Ruby (rake), Python (six) and Java (SLF 4J API Module) the same libraries occupy the first place, it was in the programming languages Go (/x / net), PHP (psr /log) and Swift (SwiftLint) libraries that took the second (/x / net, psr /log) and even the eleventh (SwiftLint) place in 2019.
On the other hand, in addition to popularity, the security of the various libraries also fluctuates. This is a .NET (system.Text.RegularExpressions), Go (/x/text), JavaScript (lodash), Java (jackson-databind), Python (urllib3) and Swift (nanopb) the same libraries ranked first in terms of vulnerability to security risks as in 2019. For the programming languages PHP (zendframework/zendframework1) and Ruby (rack), it was libraries that took the third (rack) and seventh (zendframework/ zendframework1) had taken up space.
Information brings speed
Uncertainty shapes the working environment of developers. But there is good news about your reaction time. If developers become aware of vulnerabilities, they fix them quickly – 17 percent of security risks are fixed within an hour, 25 percent within a week.
An unrestrained and efficient flow of information must therefore be prioritized in the field of software development with open source in the future. Without information about vulnerabilities, it takes developers more than seven months to fix 50 percent of existing security risks – with the necessary information, they only need three weeks.
How developers influence the security of open source libraries with their mindset
Developers will have to expand their update frequency in the future. 79 Percent of third-party libraries are never updated by developers after being included in a codebase. In doing so, you need to realize that updates do not mean as much work as you suspect. 65 Percent of the updates that result in another update are minor and include a maximum of a small change to the version. As a result, the updates do not affect even the functionality of the most complex software applications.
The rethinking of the developers is important and promises quick success and more security, because 92 percent of the analyzed vulnerabilities in a library can already be fixed with an update. Of these, a full 69 percent is at most a small change in the version.
In addition to new update regulations, developers also need a new approach to the selection of libraries. The SoSS v11: Open Source Edition reveals that only 52 percent of the developers surveyed follow a formal process when selecting third-party libaries. If you ask these developers for a priority that always applies, 67 percent call functionality, 63 percent call licensing and only 53 percent say that security is always a priority.
The SoSS v11: Open Source Edition shows how important a rethinking on the part of the developers is. You need to increase your update frequency in order to be able to cope with the rapidly changing environment. At the same time, you need to prioritize security when choosing your open source libraries. For companies, in turn, it makes sense to promote an unrestrained flow of information and to establish a formal process that helps developers to make the selection of libraries in the interests of the company.
* Julian Totzek-Hallhuber is a Solution Architect at Veracode.