Sonatype and Aspect Securitiy recently published a study titled “The Unfortunate Reality of Insecure Libraries” (registration required). The bottom line is that 80% of the code in today’s applications comes from libraries and frameworks and that the risk of vulnerabilities in these components is widely neglected. Sonatype and Aspect Security have analyzed the downloads from Maven Central and found that 26% of the downloaded libraries have known vulnerabilities.
Of course this is marketing material but nevertheless it contains a lot of truth. Many organizations lack a process to ensure the libraries they are using in their applications are up to date. The larger an organization is the higher the probability that they prefer not to update their dependencies because they fear to break something. Never touch a running system – even if it is insecure.
You can argue that the metrics they use are inaccurate as a vulnerability in a library that is used in an application does not imply that the application itself is vulnerable. However if the application is not affected by the vulnerability of a dependant library this is more often by coincidence than by analysis and informed decision.
For applications that we are building for our customers we have a few rules in place that lower the risks involved:
- We prefer proven frameworks and libraries with a good security track
- We check the general code quality of frameworks and libraries we use before we include them
- Each iteration starts with updating the dependencies of our applications to their latest stable version
While this works well for applications while they are built it does not help for the phase where no active development takes place. It also doesn’t help with security issues that are discovered and need an immediate fix for the release currently deployed to production.
Therefore we offer support contracts for our applications that cover the latest production release in supported environments. To minimize cost we do not support older versions or milestone, beta and candidate releases.
For those versions we provide our customers with security fixes for vulnerabilities found in one of the supported products or the libraries used in one of these products. This of course includes monitoring the libraries and frameworks we use for reported vulnerabilities and security issues.
We also encourage our customers to plan for maintenence releases at least every six months to keep the dependencies up to date even if there are no new features to be included.