Most Apps Use Vulnerable Open-Source Libraries, Veracode Research Shows

New research from Veracode found that most applications use open-source libraries that also present vulnerabilities, but the distribution of such libraries depends on the programming languages used.

Open-source libraries are ubiquitous, but they are not limited to integration into open-source apps. In fact, most available apps contain open source libraries, even if they are from private companies and are sold as proprietary.

Not all libraries are used in equal proportions, but usage varies depending on the existing ecosystem. For example, the Veracode research shows that the JavaScript applications investigated have hundreds of dependencies, with some app reaching 1,000 different libraries. The researchers looked at 351,000 unique libraries across all major programming languages.

“Many languages have libraries that are almost a given for inclusion in an application. JavaScript and Python, in particular, have several core libraries that are likely to be in use for any given application,” according to the Veracode research.

The researchers didn’t just look at the prevalence of some dependencies, but at how safe they actually are. One method is to check which one of the existing libraries already has exploits with public proof-of-concept demonstrations.

PHP takes first place, as 27% of its flawed libraries also have published exploit code. Java follows with 15.7%, and .NET with 14.2%. Equally interesting is that not all vulnerable libraries have attached CVEs, which means there’s no effort to fix their flaws.

The research also shows that 71% of the 85,000 apps investigated include libraries with flaws. Moreover, almost all scanned applications have an unfixed flaw in an external library. Fortunately, it looks like most of the fixes needed are minor and would not break functionality in the apps using them, with 73.8% of the libraries needing only a small update.

The good news that comes out of the research is that over 90 % of the highest priority security flaws have a fix available to them today.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Silviu STAHIE. Read the original post at:

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)