Eighty percent of the code in modern software is not written directly by the developers building the application. It’s “borrowed” through open source dependencies. A handful of those open source packages are directly selected by developers, but the vast majority of that code is “transitive dependencies” – automatically brought in by each open source package.
Security and development teams have little to no visibility into the risks those transitive dependencies bring with them. “The State of Dependency Management,” the inaugural report from Station 9, the research initiative launched by Endor Labs, explores this critical issue in depth.
Most importantly, the research revealed that almost all vulnerabilities identified – a remarkable 95% – are indeed found in transitive dependencies. These are specifically the open source code packages indirectly pulled into projects without the developers’ approval or even knowledge.
On a related note, because there’s little awareness of how and where this code is used, developers find it difficult to identify and mitigate these vulnerabilities. Of course, this undermines the very benefit promised by open source software (OSS) code – that it allows developers to create new capabilities without reinventing the wheel.
The headache for developers is also a blessing for the bad guys: Many cybercriminals launch attacks on the software supply chain specifically to exploit these vulnerabilities. Meanwhile, many existing tools to deal with the issue can only find known dangers, which leaves many threats still potent.
The report shows how it is hard to even focus on the most critical projects. Endor Labs Station 9 analyzed two of the best-known efforts in this area, Census II and OpenSSF Criticality Scores, and the results are worrisome: Three-quarters of the packages in Census II have a Criticality Score of less than 0.64, meaning it’s anything but straightforward to develop an algorithm for determining criticality. Each organization consuming open source must develop its definition based on its requirements and risk tolerance.
The report then further breaks down the complexity of dependency management and vulnerability prioritization in open source packages by demonstrating the following:
- Relying on security metrics such as known vulnerabilities and CVSS scores is not enough, as patches have as much as a 44% chance of creating a breaking change. Operational risk must also be considered.
- Many of the most popular packages that were analyzed had their latest release over five years ago. Fifty percent didn’t have a release in the last year. Metrics around quality, community support, and commit activity are crucial in determining risk.
- New is not always secure: The latest version of 32% of the analyzed packages still had known vulnerabilities.
In sum, there’s too much security noise; next-gen supply chain attacks feature threats not identified by existing tools; and maintenance is an undeniable nightmare.
Moving forward, among other strategies, the industry needs the identification and removal of bloated dependencies to reduce build times, complete software inventory across the enterprise, and risk-based dependency selection to reduce future threats.
To identify the most serious problems in this area, Endor Labs’ Station 9 team analyzed nearly 2,000 of the most widely used OSS code packages deployed within applications in both the private and public sectors.