Endor Labs: Security Protocols Lag as Software Development Races Ahead
New research reveals a gap between the rapid pace of software development and the establishment of effective security protocols.
October 2, 2024
As software development races forward, a new report from Endor Labs reveals that security protocols are falling behind.
Open-source software is undoubtedly an invaluable resource—one of many reasons it constitutes most of the code in new applications. However, the transitive dependencies within the code contain hidden dangers, and most developers waste time and other resources hunting these dependencies down, according to the 2024 Dependency Management Report. That battle is ongoing, and the security side of the equation is still running far behind.
That’s literally true in some cases. For example, more than half, or 69%, of vulnerability advisories are published only after a patch release – and not even right after. There’s a median delay of 25 days between the patch becoming available and the advisory being published. That means attackers learn of vulnerable systems and have lengthy attack windows. The report makes clear that no organization should rely on public vulnerability databases alone to manage open-source dependencies.
The report also reveals that nearly half (47%) of all advisories in public vulnerability databases across six ecosystems (Go, Maven, NuGet, PyPI, RubyGems, and npm) do not contain any code-level vulnerability information. That makes it impossible for most institutions to identify known vulnerable functions in their applications. And it gets worse: Not even 10% of these vulnerabilities are exploitable at the function level, meaning organizations waste time remediating vulnerabilities that have no impact on their codebase.
On the plus side, it’s possible to slash security alert noise by 98% through programs that combine reachability and an Exploit Prediction Scoring System. That represents a significant boost to productivity.
Ultimately, instead of tracking every potential problem, it’s about prioritizing the most critical and reachable risks, which typically constitute less than 5% of all vulnerabilities. By focusing on these threats, organizations can balance a high level of security in the software dependency lifecycle with greater productivity in application development.The Endor Labs Dependency Management Report explores how emerging trends in open-source security should guide the security strategies for the software development lifecycle. It analyzes how successful application security teams are at identifying dependencies, their vulnerabilities, and the biggest obstacles to remediating known vulnerabilities. The research analyzes Endor Labs vulnerability data, the Open-Source Vulnerabilities (OSV) database for comparison, information from Endor Labs customer tenants, and Java ARchives (JARs) of hundreds of versions of the top 15 open-source dependencies to compute breaking changes.
About the Author
You May Also Like