State of Software Security: Open Source Edition

Modern application development is near-impossible without open source libraries, yet this imported code represents functionality that developers did not author but must now manage. By analyzing over 85,000 applications, this report reveals that 71% of software contains a flaw in an open source library upon its initial scan. This “hidden dependency debt” creates an attack surface that is often invisible to maintainers until a major security event occurs.

The distribution of this risk is highly skewed by language. JavaScript applications, for instance, have a unique propensity for pulling in hundreds or even thousands of transitive dependencies—secondary libraries that “come along for the ride”. This complexity means that for languages like JavaScript, Ruby, and PHP, the majority of the attack surface is introduced transitively rather than through a developer’s explicit instruction.

The report rewards the click with a significant “silver lining” for remediation: 92% of library flaws can be fixed by a simple update. Furthermore, these updates are typically minor versions or patches, meaning they are unlikely to break application functionality. By focusing on the 1% of flaws that are exploitable in the wild and on the application’s executable path, organizations can transform an overwhelming problem into a manageable task.

Key Findings

• 71% Flaw Baseline: Over 70% of all applications analyzed harbor a security flaw in an open source library when they are first scanned.
• The 92% “Update” Solution: 92% of all library-introduced flaws can be remediated with a simple version update; major refactors are rarely required.
• Transitive Dependency Load: For languages like JavaScript, 86.9% of application library dependencies are transitive, meaning they were not explicitly included by the developer.
• JavaScript Library Density: Typical JavaScript applications use 377 libraries, nearly nine times the amount used in the typical Java application (43).
• The 1% Critical Focus: By prioritizing flaws that have PoC code, are exploited in the wild, and are on the executable path, the remediation scope drops to just 1% of total flaws.
• PHP Library Risk: Including any given PHP library has a greater than 50% chance of bringing a security flaw into the application.