Veracode Published Results Research Safety problems caused by embedding open libraries into applications (instead Dynamic binding Many companies simply copy the necessary libraries into their projects). As a result of the scanning of 86 thousand repositories and a survey of about two thousand developers, it is determined that 79% of third-party projects transferred to projects are never updated.
At the same time, the outdated library code becomes the cause of security problems that in 92% of cases can be avoided by simply updating the library code. Excuses that updating libraries is not made due to a possible violation of compatibility, in most cases are groundless, since in 69% of vulnerability cases were eliminated in corrective issues that are not related to changes in functionality.
The impact also has to inform developers about the appearance of vulnerabilities – if the developers were notified of the problem in the library, in 17% of cases the problem was solved within an hour, and in 25% – one week. If there is information about how vulnerability in the library can lead to compromising the application, in 50% of cases, the correction was produced during three weeks, and without the provision of information – the elimination of vulnerabilities had to wait 7 or more months.
A quarter of the surveyed developers said that when choosing a library for embedding, the focus was on functionality and licenses for the code, and then safety is taken into account.
It is noteworthy that with the verification of licenses to the code, the situation is no better – 54% of the respondents admitted that they do not always check the license to the library code before its integration into their product. Mandatory verification of licensed compatibility practices only 27% of respondents.