The Risks of Using Vulnerable Third-Party Libraries

In today’s fast-paced software development environment, leveraging third-party libraries and open-source components has become a common practice. These resources can significantly speed up development and reduce costs by allowing developers to build on existing, tested code. However, this approach comes with its own set of challenges. One major concern is the risk associated with vulnerable third-party libraries. According to assessments conducted by Synopsys in 20221, a notable 25% of the evaluations revealed the presence of such vulnerabilities. This issue directly relates to the OWASP Top 10 category A06:2021, which addresses the dangers of using vulnerable and outdated components. This category encompasses: 

  • Lack of awareness regarding the versions of all components in use, including both client-side and server-side elements, as well as direct and nested dependencies. 
  • Use of software that is vulnerable, unsupported, or outdated, which includes operating systems, web/application servers, database management systems (DBMS), applications, APIs, runtime environments, and libraries. 
  • Failure to regularly scan for vulnerabilities and subscribe to security bulletins for the components in use. 
  • Delays in fixing or upgrading platforms, frameworks, and dependencies in a risk-based manner. This often occurs in environments where patching is performed monthly or quarterly, potentially leaving systems exposed to known vulnerabilities for extended periods. 
  • Lack of testing by software developers to ensure compatibility of updated, upgraded, or patched libraries.

Percentage of Total Test Targets 

Security Issue
2022 Percentage
2021 Rank
2020 Rank
Weak SSL/TLS Configuration
70%
1
4
Missing Content-Security-Policy Header
43%
-
-
Verbose Server Banners
37%
-
-
Cacheable HTTPS Content
34%
-
-
HTTP Strict Transport Security (HSTS) Not Implemented
34%
5
5
Insecure Content-Security-Policy Header
31%
-
-
Weak Password Policy
28%
2
3
Unmasked Nonpublic Information Data
25%
6
7
Vulnerable Third-Party Libraries in Use
25%
-
-
Excessive Session Timeout Duration
-
-
-

Figure 1. Top 10 Security Issues 2022 

The use of open-source code has become very popular because it helps speed up software development by allowing developers to use existing, reliable code instead of creating new code from scratch. However, the Synopsys “Open Source Security and Risk Analysis” report shows that using open-source code can also introduce serious risks. The 2023 report found a huge increase in security problems with open-source code, and many businesses don’t fully understand their own code. 

The report notes a 557% rise in high-risk vulnerabilities in open-source code used in retail and eCommerce over the past five years. It also highlights that 91% of projects are using outdated open-source components without proper security updates. 

Because of frequent attacks on software supply chains, companies are paying more attention to software supply chain security. Many are now using automated tools to create a Software Bill of Materials (SBOM), which tracks all third-party and open-source software components. This increase in SBOM use and related security measures shows a shift towards better managing these risks. With many companies using hundreds of applications that depend on numerous third-party and open-source components, keeping an accurate and up-to-date SBOM is essential for effective management and security. 

#VulnerabilityManagement #MyOrbik #SoftwareSupplyChain