According to a new report, patches deployed for dependency vulnerabilities result in breakages 75% of the time. Minor updates break clients 94% of the time, and version upgrades cause breakages 95% of the time.
Software dependencies, which are external code or libraries needed for a project to function properly, are challenging to manage during application development. Fixing vulnerabilities in dependencies often requires a major version update 24% of the time.
The authors of the 2024 Dependency Management Report from Endor Labs, a software supply chain security company, suggest that upgrading to a non-vulnerable version of the dependency seems like a simple solution. However, this can lead to compatibility issues and regressions that break an application during development.
Endor Labs researchers analyzed vulnerability data from various sources to understand trends in software dependency management for the report.
Despite making programming more accessible, artificial intelligence libraries are adding to the challenges of managing dependency vulnerabilities. The report found that vulnerability reporting in AI libraries is inconsistent, with discrepancies of up to 10% between public advisory databases.
Phantom dependencies, which are hidden or undeclared libraries in an application’s code, are more prevalent in AI and machine learning software projects. These projects are often written in Python, a language known for allowing dynamic package installations that bypass manifest files.
While phantom dependencies were a significant part of the dependency footprint for only 27% of the businesses analyzed, over 56% of this group reported vulnerabilities in their phantom dependencies.
The report highlights that a quarter of advisories contain incorrect or incomplete data, leading to false positives and false negatives. Additionally, nearly half of public vulnerability databases across various ecosystems lack code-level vulnerability information.
Identifying connections between apps and vulnerabilities within their dependencies is a technical challenge but crucial for security professionals to assess risks. The report revealed that over 90.5% of open-source dependency vulnerabilities in various languages are not exploitable at the function level.
Darren Meyer, a staff research engineer at Endor Labs, stated that organizations are burdened with vulnerability alerts that do not represent actual risk, making research and remediation costly.
Updating dependencies to non-vulnerable versions significantly reduces the number of relevant vulnerabilities. For instance, updating the top 20 Python components can eliminate more than 75% of vulnerability findings, with similar reductions for Java and npm.
By filtering out vulnerabilities that are not reachable and have a low EPSS score, security professionals can reduce the number of vulnerabilities to monitor. Combining this with filters for vulnerabilities without available fixes and not present in the test code can greatly reduce remediation costs.
The authors of the report suggest that prioritizing vulnerabilities based on EPSS data can be highly effective, saving costs for vulnerability analysis in organizations.
No Comment! Be the first one.