It has been reported that 79% percent of the time, third-party libraries are never updated by developers after being included in a codebase – despite the fact that more than two thirds of fixes are minor and non-disruptive to the functionality of even the most complex software applications. The research, from Veracode, also found that 92% of open source library flaws can be fixed with an update, and 69% of updates are only a minor version change or smaller. Open source libraries constantly evolve, so what appears secure today may no longer be so tomorrow, potentially creating a significant security risk for software vendors and users.
<p>The Veracode report highlights a trend we’ve seen portrayed in multiple industry reports, including the <a href=\"https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUWNYhtANfDiYPmZK58oMo9lwFgCsqyBN60E28eVKvVJHXW071IYcuIXHqNnWkfHhOtkwHGXP5NnKfPwaB7er2zPw7Si3-2FpFH4iKTrOK1-2BT-2BIxUsr3ZePY4oMSWRlRowlmisu-2Ffx2JgUUkxzxit8V7fM2cOX5QqDc6DvnLcmiF1lkO9Xuqy2zTuemzf29f1VAuQ-3D-3DXsd2_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGbACtpGEOUo9gKA7RdPV7CHYnRZ1BgjoepqPsAq5T4X7K-2Bw26wspumVv2xNKnDUQkdt3Q1XYPz1r7GThSe9qG-2FoPjCIPwVPmfxZx8sir83YzFoTaonDsLYf1ku-2BDvUaXQqra6IsNNQQjm8FMnkxmxiwiJdSpHBzVeu-2BHtd1hNkbFxfzKDXGT1-2BqJihCDFfGmaazE-2F0-2BKa-2F5Nb-2BCiqpq9VvGIFu8HDI-2F4OHiktZe-2F2-2Bdtax-2FsQH35Ja6VfkX4vKZArIsB43za5yJ4dxaBYe2pMtFn5mw-2Fr93bK4K0AhmPxqvP\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=https://u7061146.ct.sendgrid.net/ls/click?upn4tNED-2FM8iDZJQyQ53jATUWNYhtANfDiYPmZK58oMo9lwFgCsqyBN60E28eVKvVJHXW071IYcuIXHqNnWkfHhOtkwHGXP5NnKfPwaB7er2zPw7Si3-2FpFH4iKTrOK1-2BT-2BIxUsr3ZePY4oMSWRlRowlmisu-2Ffx2JgUUkxzxit8V7fM2cOX5QqDc6DvnLcmiF1lkO9Xuqy2zTuemzf29f1VAuQ-3D-3DXsd2_S3RA1gMvL7v1TdZrqvF2X48vY2LyH9KYdxKxBaPFp6Fl1TEEsXDQbgk-2FWPw9Ah5nwh5z3HPLIw79cePUeHvYGbACtpGEOUo9gKA7RdPV7CHYnRZ1BgjoepqPsAq5T4X7K-2Bw26wspumVv2xNKnDUQkdt3Q1XYPz1r7GThSe9qG-2FoPjCIPwVPmfxZx8sir83YzFoTaonDsLYf1ku-2BDvUaXQqra6IsNNQQjm8FMnkxmxiwiJdSpHBzVeu-2BHtd1hNkbFxfzKDXGT1-2BqJihCDFfGmaazE-2F0-2BKa-2F5Nb-2BCiqpq9VvGIFu8HDI-2F4OHiktZe-2F2-2Bdtax-2FsQH35Ja6VfkX4vKZArIsB43za5yJ4dxaBYe2pMtFn5mw-2Fr93bK4K0AhmPxqvP&source=gmail&ust=1624731001939000&usg=AFQjCNE5XAsPvGMRdjjHV9w0K2XPTQVo8w\">OSSRA</a> report – keeping up with open source updates requires attention. Unfortunately, the Veracode report places responsibility for open source patch management on development teams rather than identifying the root causes of obsolete component usage.</p>
<p>One major contributing factor perpetuating obsolete component usage is that development teams are measured based on feature output. This then implies that maintaining a stable foundation of libraries ensures that any code changes are localised to the efforts of the product team and are not by-products of functional changes within libraries. Put another way, changes in updated libraries introduce risk to delivery schedules due to the potential for functional changes that break features.</p>
<p>Resolving this scenario is simple – when a library is approved for usage, an update strategy for that library needs to be defined which specifies the conditions an update might be optional and when it becomes required. Implementing such a process allows development teams to better plan their activities without updates becoming continuous unplanned work. This is a situation where tooling matters, but process matters more and where open source updates need to be part of a comprehensive patch management strategy that extends beyond updating source code, but having awareness of where unpatched code exists throughout the business.</p>