1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Open source software can be a security time bomb for businesses

    From TechnologyDaily@1337:1/100 to All on Wed Jun 23 10:30:02 2021
    Open source software can be a security time bomb for businesses

    Date:
    Wed, 23 Jun 2021 09:05:57 +0000

    Description:
    Majority of developers never update the open source libraries inside their apps, reveals survey.

    FULL STORY ======================================================================

    A majority of developers never update third-party open source libraries after including them in a codebase, a new report has found.

    Compiled by app security firm Veracode, the report is based on an analysis of 13 million scans of more than 86,000 repositories, with a total of over 301,000 unique open source libraries.

    Based on its analysis, Veracode discovered almost all the scanned
    repositories include libraries with at least one vulnerability. These are the best endpoint protection tools Check our list of the best firewall apps and services Protect your devices with these best antivirus software

    The security of a library can change quickly, so keeping a current inventory of whats in your application is crucial. We found that once developers pick a library, they rarely update it. With vendors facing increasing scrutiny
    around the security of their supply chain, there is simply no way to justify
    a set it and forget it mentality, said Chris Eng, Chief Research Officer at Veracode. Software bill-of-materials

    Veracode argues that since nearly all modern applications are built using third-party open source software, a single flaw in one library can quickly cascade into all apps using that code.

    The report reveals that a good majority (92%) of flaws in the open source libraries can be fixed with an update, with most of them (69%) being only a minor update.

    Furthermore, even when an update results in additional updates, nearly two-thirds of these will be only a minor version change and are unlikely to break functionality of even the most complex applications.

    The revelations in the report give color to the recent US presidential order that mandates a software bill-of-materials (SBOM) from vendors supplying software solutions to US government agencies, to ensure the entire codebase
    is secure.

    Eng stresses that its vital that developers keep the libraries up-to-date and respond quickly to new vulnerabilities as theyre discovered to ensure
    security throughout the software supply chain. Subscribe to Linux Format magazine for more Linux and open source goodness



    ======================================================================
    Link to news story: https://www.techradar.com/news/open-source-software-can-be-a-security-time-bom b-for-businesses/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)