(Image credit: Shutterstock)
Hidden dependencies pose unseen risks in modern software systems, says reportFunction-level analysis slashes unnecessary vulnerability fixes by 90%Advisory delays leave systems exposed to potential exploitationsAs organizations increasingly rely on third-party components and open source libraries to accelerate development processes, experts have warned addressing the security risks associated with these dependencies has become a significant priority.
Endor Labsā 2024 Dependency Management Report explores the evolving challenges in managing software dependencies and vulnerabilities, and analysis of seven programming languages (Java, Python, Rust, Go, C#, .NET, Kotlin, and Scala) found fewer than 9.5% of vulnerabilities in 2024 were considered āreal threatsā.
āA lot of organizations are struggling with managing dependency risks,ā noted Darren Meyer, staff research engineer at Endor Labs. āTheyāre drowning in vulnerability alerts, many of which donāt represent relevant risk; researching the alerts is expensive for security teams (and software teams), and trying to fix everything is even more expensive.ā
Dependency managementManaging dependencies is not a simple task as most software projects rely on multiple layers of dependencies, including first-party code libraries, frameworks, and operational dependencies that support production environments, creating a web of interconnected components ā and any vulnerability within this web could expose an organization to significant security risks.
The use of third-party components, particularly open source software, is a common practice in modern software development because it reduces the time developers need to spend writing foundational code, offering pre-built functionalities that accelerate development cycles ā but also brings unique security challenges due to vulnerabilities in these external components.
Many security issues stem from āphantom dependencies,ā or hidden components that are not explicitly documented in the softwareās code, and can introduce vulnerabilities that traditional tools fail to detect.
These vulnerabilities arenāt helped by the fact that nearly 70% of advisories issued by vulnerability management platforms, such as NISTās NVD, are published after the corresponding security patch is released, with a median delay of 25 days.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Endor also claims that almost half of the advisories in public vulnerability databases lack code-level details, while only 2% provide function-specific vulnerability information, making it difficult for security teams to determine whether known vulnerabilities can be exploited in their applications.
In addition, Endor analysis from 1,250 updates from vulnerable to non-vulnerable versions shows that 24% of fixes require a major version update while 6% of vulnerabilities could be fixed with minor or patch-level updates.
Endor therefore argues that not all vulnerabilities pose the same level of risk, with organizations being advised to focus on the most reachable and exploitable vulnerabilities, as only about 9.5% of vulnerabilities in dependencies are exploitable at the function level.
Reachability analysis, which determines whether a vulnerable function in a dependency is called by the applicationās code, emerges as one of the most effective methods for reducing the noise in vulnerability reporting. By focusing on vulnerabilities that have a clear path to being exploited, organizations can reduce their remediation efforts by nearly 90%, according to the report.
You may also likeTake a look at our guide to the best malware removalHere is our list of the best SMB firewall softwareMany open-source software have worrying security risks
Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Masterās and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: [email protected]
Most Popular
