State of Software Security, Vol. 11: Open Source Edition

Third-party software is the foundation of nearly all modern applications, but it is a foundation built on shifting sands. This special edition of SOSS plumbs the life and times of open-source libraries to understand how developers manage—or more often, ignore—their external dependencies. By combining survey data from 1,800 developers with technical scan data, we unmask the reality of the software supply chain.

The data reveals a startling “set it and forget it” mentality: 79% of the time, developers never update a library after including it in their codebase. This is particularly concerning as “old libraries age like milk,” often harboring vulnerabilities that didn’t exist when the library was first selected. This report rewards the click by proving that when developers are actually given the right information and alerted to flaws, they can act with incredible speed—with 17% of fixes occurring in less than one hour.

Ultimately, managing open-source risk is less about technical complexity and more about informational friction. For 92% of vulnerable libraries, a fix is already available in the form of a simple update, most of which are minor version changes unlikely to break functionality. This study provides developers with the evidence they need to justify the “tax” of dependency maintenance and build more resilient applications.

Key Findings

• Dependency Stagnation: 79% of third-party libraries are never updated by developers once they are integrated into an application’s codebase.
• Rapid Response Potential: When developers are alerted to a vulnerable library, 17% of flaws are addressed within a single hour and 25% within one week.
• The “Update” Solution: 92% of all library flaws can be fixed by a simple update to a newer version.
• Low Impact Fixes: 69% of suggested library updates represent a minor version change or less, minimizing the risk of broken functionality.
• The Information Gap: Developers with the information they need fix 50% of flaws in 3 weeks; those without it take over 7 months to reach the same milestone.
• Java’s Supply Chain Load: The typical Java application is composed of 97% third-party open-source code.