The Devil's in the Dependency: Data-Driven Software Composition Analysis

The presentation discusses the findings of a quantitative study of application security and library usage, highlighting the prevalence of flaws in open source software and the importance of prioritizing fixes based on severity.

• Open source software has a variable number and type of flaws, with most flaws coming from transit dependencies.
• Prioritizing fixes based on severity is important, with proof of concept and exploited vulnerabilities taking precedence.
• Language selection can also impact security.
• Most patchable vulnerabilities can be fixed with a minor library update.
• The study provides insights into industry performance and allows for benchmarking against peers.

The study found that transit dependencies are a major source of flaws in open source software, with developers potentially having to manage hundreds of developers when pulling in just one library. Prioritizing fixes based on severity is crucial, as not all flaws require a major refactor of the code. For example, most patchable vulnerabilities can be fixed with a minor library update. Language selection can also impact security, with developers needing to consider the security implications of their language choice. Overall, the study provides valuable insights into industry performance and allows for benchmarking against peers.

We all know that lurking within even the most popular open source packages are flaws that can leave carefully constructed applications vulnerable. In fact, 71% of all applications contain flawed open source libraries, many (70.7%) coming from downstream dependencies which might escape the notice of developers. Using graph analytics and a broad data science toolkit, we untangle the web of open source dependencies and flaws and show the best way for developers to navigate this seemingly intractable game of whack-a-mole.In this analysis, we examine over 85,000 applications and their use of more than 500k open source libraries. We provide an overview of open source usage showing that typical applications have hundreds or thousands of libraries, with most coming from a cascade of transitive dependencies. We find that proof-of-concept exploits exist for 21.7% of libraries with flaws, and that even very tiny (162 LoC) and very popular (included in 89% of applications) JavaScript libraries can contain exploitable flaws.We describe the complex relationship between libraries and security flaws and show that more libraries doesn't necessarily mean more problems -- in fact, we see applications that manage to use thousands of libraries while inheriting few or no flaws. Also, an analysis of exploitability in the data set makes clear that attackers are focusing most heavily on two types of flaws – Insecure Deserialization and Broken Access Control.We conclude by examining strategies to manage open source library flaws. We reveal more than 81% of flaws can be fixed with minor patch or revision updates, but updated libraries can themselves be flawed or can disrupt dependencies. We show that developers can prioritize risk mitigation by focusing on the 1% of flaws that are known to exist on an application's executable path and have seen exploitation in the wild.