Veracode: Open-source libraries cause security flaws in 70% of apps

Research from Veracode suggests that 70 percent of apps have security flaws due to their use of open-source libraries.

The application security firm set out to determine the risk one flawed library can pose to software. For its The State of Software Security (SOSS): Open Source Edition report, Veracode analysed 351,000 libraries across the Veracode platform database of 85,000 applications.
On an initial scan, 70 percent of applications were found to have a security flaw resulting from the use of an open-source library.
Chris Eng, Chief Research Officer at Veracode, said:
“Open source software has a surprising variety of flaws. An application’s attack surface is not limited to its own code and the code of explicitly included libraries, because those libraries have their own dependencies.
In reality, developers are introducing much more code, but if they are aware and apply fixes appropriately, they can reduce risk exposure.”
Other key findings in the report include:
  • Around 47 percent of flawed libraries end up in code through being pulled in by upstream libraries.
  • Most flaws in libraries can be fixed with a minor version update, major upgrades are not usually required.
  • More than 61% of flawed libraries in JavaScript contain vulnerabilities without corresponding Common Vulnerabilities and Exposures (CVEs).
Not all programming languages are affected equally. Veracode found that the majority of libraries are transitive dependencies in more than 80 percent of JavaScript, Ruby, and PHP applications.
PHP libraries pose a higher risk; with a greater than 50% chance of having a security flaw.
You can find a full copy of Veracode’s report here.

Comments

Post a Comment

Popular posts from this blog

Making open source JavaScript pay

Image
Money isn’t everything to the success of the most popular JavaScript frameworks. Or is it? Looking at the  2019 State of JavaScript report , something stands out: Money apparently can’t buy everything. Or, at least, not every major front-end and back-end programming framework is sponsored by a big company. Sure, we have Google to thank for  Angular , and Facebook gets credit for  React , but what about  Vue.js ? Or Gatsby? Or Next.js? While these (and other) open source projects do seem to suggest a future without Big Corps shoveling Big Money into open source, the reality is a bit more nuanced. For the developers looking to pay their way through open source, however, reality isn’t nuanced at all. For every Vue.js founder  Evan You making $16,000 per month with Patreon contributions , there are thousands of developers struggling to scrape together $16 for the important open source work they’re doing. [  Also on InfoWorld: 15 great alternatives to React, Angular, and Vue  ]
Read more

How artificial intelligence is making the education system more relevant?

Image
Digital learning solutions equipped with artificial intelligence are making revolutionary changes to the way education is imparted in students with varied interests and capabilities. When we think of artificial intelligence, there is a hardwired imagery of gigantic thinking machines working in sci-fi environment. This imagery often comes from the science fiction that we have been watching or reading since childhood. However, deep diving suggests that artificial intelligence is an advanced form of algorithm that empowers machines to emulate human behavior under real life situations. Today, there is no industry untouched by the ripples caused by artificial intelligence. Education sets the foundation of human behavior. Educational ecosystem is formed by knowledge base, teaching skills and experience, learning capability, and evolving teaching methods. Digital learning solutions equipped with artificial intelligence are making revolutionary changes to the way education is im
Read more

Open-source software tracks neural activity in real time

Image
The tool, called CaImAn, replaces the process of manually tracking the location and activity of neurons Tracking the firings of individual neurons is like trying to discern who is saying what in a football stadium full of screaming fans. Until recently, neuroscientists have had to tediously track each neuron by hand. "People spent more time analyzing their data to extract activity traces than actually collecting it," says Dmitri Chklovskii, who leads the neuroscience group at the Center for Computational Biology (CCB) at the Flatiron Institute in New York City. A breakthrough software tool called CaImAn automates this arduous process using a combination of standard computational methods and machine-learning techniques. In a paper published in the journal  eLife  in January, the software's creators demonstrate that CaImAn achieves near-human accuracy in detecting the locations of active neurons based on calcium imaging data. CaImAn (an abbreviation of c
Read more