[ad_1]
Endor Labs, a start-up dedicated to ensuring the reuse of open source software in application development, has published The State Of Dependency Management, which offers a look at the rampant but often unmonitored use of existing open source software in application development, and the dangers emerging from this common practices.
As one example, research reveals that 95% of all vulnerabilities are found in transitive dependencies of open source packages that are not chosen by developers, but are indirectly injected into projects.
This is the first report from Station 9, a research facility developed by Endor Labs that brings together researchers, academics and thought leaders from around the world.
Dedicated to identifying vulnerabilities in the software supply chain and identifying potential solutions, Station 9 includes Georgios Gousios, who oversees software analysis, and Henrik Plate, who leads security research.
Varun Badhwar, co-founder and CEO of Endor Labs, says, “In this environment, open source software is the backbone of our critical infrastructure, but even seasoned developers and executives are often surprised to learn that 80% of the code in modern applications comes from existing OSS.
“This is a huge arena, but it’s largely overlooked. This first report from Station 9 clearly shows the depth of the problem in this area and the need for substantial solutions. If open source reuse is to live up to its potential, then security needs to move to the top of the priority list.”
A new report from Station 9 offers a comprehensive analysis of the complexities underlying the reliance on open source software and reveals how traditional vulnerability remediation methods require far greater scrutiny.
The problem is not necessarily the widespread use of existing open source code in new applications; it’s that only a small sample of these software dependencies are actually chosen by the developers involved. The rest are transitive or indirect dependencies automatically pulled into the codebase. This sets the stage for significant vulnerabilities, both potential and identifiable, that impact both the security and development worlds in equal measure.
Among other findings, the report reveals:
The vast majority of all vulnerabilities, 95%, are indeed found in transitive dependencies, making it difficult for developers to assess the true impact of these issues, or whether they are even available.
A comparison between the two most popular critical project identification community initiatives, Census II and OpenSSF Criticality Scores, reveals that determining criticality is far from straightforward. In fact, 75% of packages in Census II have a criticality score of less than 0.64; organizations must decide for themselves which open source projects are critical.
Dependency confusion has been a major advantage for the bad guys in recent supply chain attacks, while risk indicators covered by widely used initiatives typically fail to flag these attacks.
Problems Ahead 50% of the most commonly used Census II packages were not released in 2022, and 30% had the latest release before 2018 – this can cause serious security and operational problems in the future.
New does not mean safe. When upgrading to the latest version of the package, there is still a 32% chance that it will have known vulnerabilities.
Availability is the most important criterion when determining priorities; doing it only based on security metrics (such as CVSS scores) or ignoring vulnerabilities in test dependencies only reduces the vulnerability probability by 20%.
The name Station 9 comes from a research facility on Endor in the Star Wars universe that was created to explore the complexities of supply chain security and the use of open source software in the enterprise, and to provide guidance and best practices for selecting, securing and maintaining OSS. The team will continue to publish more research in the near future, through reports, trade show presentations and more.
[ad_2]
Source link