Veracode: Open-source libraries cause security flaws in 70% of apps

Veracode: Open-source libraries cause security flaws in 70% of apps Ryan is a senior editor at TechForge Media with over a decade of experience covering the latest technology and interviewing leading industry figures. He can often be sighted at tech conferences with a strong coffee in one hand and a laptop in the other. If it's geeky, he’s probably into it. Find him on Twitter (@Gadget_Ry) or Mastodon (

Research from Veracode suggests that 70 percent of apps have security flaws due to their use of open-source libraries.

The application security firm set out to determine the risk one flawed library can pose to software. For its The State of Software Security (SOSS): Open Source Edition report, Veracode analysed 351,000 libraries across the Veracode platform database of 85,000 applications.

On an initial scan, 70 percent of applications were found to have a security flaw resulting from the use of an open-source library.

Chris Eng, Chief Research Officer at Veracode, said:

“Open source software has a surprising variety of flaws. An application’s attack surface is not limited to its own code and the code of explicitly included libraries, because those libraries have their own dependencies.

In reality, developers are introducing much more code, but if they are aware and apply fixes appropriately, they can reduce risk exposure.”

Other key findings in the report include:

  • Around 47 percent of flawed libraries end up in code through being pulled in by upstream libraries.
  • Most flaws in libraries can be fixed with a minor version update, major upgrades are not usually required.
  • More than 61% of flawed libraries in JavaScript contain vulnerabilities without corresponding Common Vulnerabilities and Exposures (CVEs).

Not all programming languages are affected equally. Veracode found that the majority of libraries are transitive dependencies in more than 80 percent of JavaScript, Ruby, and PHP applications.

PHP libraries pose a higher risk; with a greater than 50% chance of having a security flaw.

You can find a full copy of Veracode’s report here.

Interested in hearing industry leaders discuss subjects like this? Attend the co-located 5G Expo, IoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.

Tags: , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *