A Concerning Number of Third-Party Libraries From Apps Are Never Updated
Third-party Libraries Are Rarely Updated After Being Included in a Codebase, Even Though in Most Cases the Libraries Can Be Relatively Easily Updated.
The lack of updates can result in a heightened risk for organizations, as well as increased complexity when it comes time to deploy a fix.
The researchers at Veracode analyzed 13 million scans of 86,0000 customer repositories containing more than 301,000 unique software libraries and surveyed 2,000 developers in order to better understand the way in which they use third-party software.
Developers Are Not Updating Third-party Libraries They Most Commonly Use
The analysis shows that over 79% of the time, developers are not updating the third-party libraries used in a codebase, even though this type of library is constantly changing.
The same thing happens also in the case of more mature, actively maintained repositories, where libraries are added but never updated 73% of the time, compared with 79% for all repositories.
These findings may make you think the process of updating these libraries is a tedious and extensive one, but it was interesting to find out that when developers do update third-party libraries, they act surprisingly quickly.
For example, if a developer doesn’t understand why SQL injection is dangerous, they might brush it off as unimportant. Sometimes illustrating the code path connecting the first-party code to the third-party vulnerability can also help the developer understand how and why their application is vulnerable.
It’s worth noting that developers fear that updating a library in order to fix a vulnerability will end up breaking something else, even though 69% of vulnerabilities found in third-party libraries involve only a minor patch that would rarely cause breakage.
What Are the Reasons for the Lack of Updates?
The lack of time and the fear of ruining an otherwise perfectly functional code are not the only reasons behind this concerning percent, as leadership and culture are important factors as well.
Developers work on what they are told to work on from product and engineering managers. Leadership needs to carve out the capacity to leave time to work on vulnerabilities and reduce security debt, just as time is set aside to work on scalability, resiliency, quality, and so on.
According to the study that Veracode did, developers are seeing functionality and licensing as important considerations, but oftentimes they don’t view security as having the same importance when adding a new library as, 67% of the respondents in the study said they always consider functionality, and 63% said they always look at licensing when evaluating a new library, but only 52% said the same about security.
The longer we wait to fix a vulnerability in a third-party library, the more complicated it gets to fix, the more time it takes to do the patch, and the bigger the risk of breaking something that affects users.
Third-party vulnerability and open-source are issues that almost all modern enterprise applications have. Unfortunately, this means that the consequences can be severe for businesses when third-party libraries in their applications are not kept up to date.
It’s important to know your business is secure, and with our scalable, flexible, and intuitive tool, which allows you to cover both Windows and 3rd party software patch deployment it’s easier than you might think. as you can take complete control over your environment and stay away from major threats like ransomware, while steadily transitioning towards a state of true cyber resilience.
Heimdal™ Patch & Asset Management
- Schedule updates at your convenience;
- See any software assets in inventory;
- Global deployment and LAN P2P;
- And much more than we can fit in here...