In today’s fast-paced software development environment, leveraging third-party libraries and open-source components has become a common practice. These resources can significantly speed up development and reduce costs by allowing developers to build on existing, tested code. However, this approach comes with its own set of challenges. One major concern is the risk associated with vulnerable third-party libraries. According to assessments conducted by Synopsys in 20221, a notable 25% of the evaluations revealed the presence of such vulnerabilities. This issue directly relates to the OWASP Top 10 category A06:2021, which addresses the dangers of using vulnerable and outdated components. This category encompasses:
- Lack of awareness regarding the versions of all components in use, including both client-side and server-side elements, as well as direct and nested dependencies.
- Use of software that is vulnerable, unsupported, or outdated, which includes operating systems, web/application servers, database management systems (DBMS), applications, APIs, runtime environments, and libraries.
- Failure to regularly scan for vulnerabilities and subscribe to security bulletins for the components in use.
- Delays in fixing or upgrading platforms, frameworks, and dependencies in a risk-based manner. This often occurs in environments where patching is performed monthly or quarterly, potentially leaving systems exposed to known vulnerabilities for extended periods.
- Lack of testing by software developers to ensure compatibility of updated, upgraded, or patched libraries.
Percentage of Total Test Targets
Security Issue
|
2022 Percentage
|
2021 Rank
|
2020 Rank
|
---|---|---|---|
Weak SSL/TLS Configuration
|
70%
|
1
|
4
|
Missing Content-Security-Policy Header
|
43%
|
-
|
-
|
Verbose Server Banners
|
37%
|
-
|
-
|
Cacheable HTTPS Content
|
34%
|
-
|
-
|
HTTP Strict Transport Security (HSTS) Not Implemented
|
34%
|
5
|
5
|
Insecure Content-Security-Policy Header
|
31%
|
-
|
-
|
Weak Password Policy
|
28%
|
2
|
3
|
Unmasked Nonpublic Information Data
|
25%
|
6
|
7
|
Vulnerable Third-Party Libraries in Use
|
25%
|
-
|
-
|
Excessive Session Timeout Duration
|
-
|
-
|
-
|
Figure 1. Top 10 Security Issues 2022
The use of open-source code has become very popular because it helps speed up software development by allowing developers to use existing, reliable code instead of creating new code from scratch. However, the Synopsys “Open Source Security and Risk Analysis” report shows that using open-source code can also introduce serious risks. The 2023 report found a huge increase in security problems with open-source code, and many businesses don’t fully understand their own code.
The report notes a 557% rise in high-risk vulnerabilities in open-source code used in retail and eCommerce over the past five years. It also highlights that 91% of projects are using outdated open-source components without proper security updates.
Because of frequent attacks on software supply chains, companies are paying more attention to software supply chain security. Many are now using automated tools to create a Software Bill of Materials (SBOM), which tracks all third-party and open-source software components. This increase in SBOM use and related security measures shows a shift towards better managing these risks. With many companies using hundreds of applications that depend on numerous third-party and open-source components, keeping an accurate and up-to-date SBOM is essential for effective management and security.
#VulnerabilityManagement #MyOrbik #SoftwareSupplyChain