New research has found that, nearly 80% of the time, third-party libraries are never updated by developers after being included in a codebase – despite the fact that more than two thirds of fixes are minor and non-disruptive to the functionality of even the most complex software applications. Open source libraries constantly evolve, so what appears secure today may no longer be so tomorrow, potentially creating a significant security risk for software vendors and users.

The Veracode ‘State of Software Security v11: Open Source Edition’ analysed 13 million scans of more than 86,000 repositories containing more than 301,000 unique libraries, and also surveyed nearly 2,000 developers to understand how they use third-party software.

The Veracode research also discovered notable fluctuations in library popularity and vulnerability year over year, states the company. “For example, four of the five most popular libraries in ‘Ruby’ in 2019 were no longer in the top 10 in 2020, while some of the most vulnerable libraries in ‘Go’ in 2019 became less vulnerable in 2020 and vice versa.”

Since nearly all modern applications are built using third-party open source software, a single flaw or adjustment in one library can cascade into all applications using that code, meaning these constant changes have a direct impact on software security. Almost all repositories include libraries with at least one vulnerability.

Chris Eng, chief research officer at Veracode, explains: “The vast majority of today’s applications use open source code. The security of a library can change quickly, so keeping a current inventory of what’s in your application is crucial. We found that, once developers pick a library, they rarely update it. With vendors facing increasing scrutiny around the security of their supply chain, there is simply no way to justify a ‘set it and forget it’ mentality. It’s vital that developers keep those components up-to-date and respond quickly to new vulnerabilities, as they’re discovered.”