Trends And Dangers In Open-Source Software Dependencies
HelpNet Security, Monday, September 16th, 2024
A C-suite perspective on potential vulnerabilities within open-source dependencies or software packages reveals that, while remediation costs for dependency risks are perilously high, function-level reachability analysis still offers the best value in this critical area, according to Endor Labs.
The research is based on analysis of Endor Labs vulnerability data, the Open Source Vulnerabilities (OSV) database for comparison, information from customer tenants, and Java Archives (JARs) of hundreds of versions of the top 15 open source dependencies to compute breaking changes.
'A lot of organizations are struggling with managing dependency risks. They're drowning in vulnerability alerts, many of which don't represent relevant risk; researching the alerts is expensive for security teams (and software teams), and trying to fix everything is even more expensive. Research shows that analysis-based vulnerability prioritization has become a critical capability because of this, and highlights other trends and challenges related to dependency management,' said Darren Meyer, staff research engineer at Endor Labs.