New research from Veracode found that most applications use open-source libraries that also present vulnerabilities, but the distribution of such libraries depends on the programming languages used.
Open-source libraries are ubiquitous, but they are not limited to integration into open-source apps. In fact, most available apps contain open source libraries, even if they are from private companies and are sold as proprietary.
The researchers didn’t just look at the prevalence of some dependencies, but at how safe they actually are. One method is to check which one of the existing libraries already has exploits with public proof-of-concept demonstrations.
PHP takes first place, as 27% of its flawed libraries also have published exploit code. Java follows with 15.7%, and .NET with 14.2%. Equally interesting is that not all vulnerable libraries have attached CVEs, which means there’s no effort to fix their flaws.
The research also shows that 71% of the 85,000 apps investigated include libraries with flaws. Moreover, almost all scanned applications have an unfixed flaw in an external library. Fortunately, it looks like most of the fixes needed are minor and would not break functionality in the apps using them, with 73.8% of the libraries needing only a small update.
The good news that comes out of the research is that over 90 % of the highest priority security flaws have a fix available to them today.