75% of security patches break software, analysis says

New research from Endor Labs reveals critical insights into the challenges faced by organisations in managing open source software dependencies.

The 2024 Dependency Management Report examines trends in open source security, focusing on identifying and prioritising vulnerabilities. Security patches, which are meant to protect applications from vulnerabilities, have a 75% chance of breaking the software, according to the report.

Darren Meyer, a staff research engineer at Endor Labs, highlighted the difficulties organisations are experiencing with dependency risks. "A lot of organisations are struggling with managing dependency risks. They're drowning in vulnerability alerts, many of which don't represent relevant risk; researching the alerts is expensive for security teams (and software teams), and trying to fix everything is even more expensive. Endor Labs research shows that analysis-based vulnerability prioritisation has become a critical capability because of this, and highlights other trends and challenges related to dependency management," he said.

The report underscores that for a vulnerability in an open source library to be exploitable, there must be a call path from the application to the vulnerable function in that library. This scenario is found in fewer than 9.5% of all vulnerabilities examined across seven languages: Java, Python, Rust, Go, C#, .NET, Kotlin, and Scala. This low incidence suggests that reducing unnecessary remediation activities can significantly cut costs by over 90.5%.

The speed of response to vulnerabilities remains a problem, with almost 70% of vulnerability advisories being published after the corresponding security patch is released. The delay, which is typically around 25 days, widens the window of opportunity for potential attackers. Additionally, nearly half of the advisories in public vulnerability databases lack critical code-level information, which hinders organisations from effectively determining if a known vulnerable function can be exploited in their applications.

Prioritising vulnerabilities remains an essential strategy. Effective prioritisation allows organisations to focus on less than 5% of their total number of vulnerabilities. For the Python ecosystem, updating the top 20 open source components to non-vulnerable versions could remove more than 75% of all vulnerability findings. The figure stands at 60% for Java and 44% for npm. This approach underscores the importance of addressing 'phantom dependencies', which are dependencies invisible to security tools but still pose substantial risks.

The report also sheds light on 'rebundling', where thousands of Python and Java components combine binary code from other open source projects, further complicating security efforts. Notably, a substantial share of reported library vulnerabilities are in phantom dependencies, particularly for organisations with a significant phantom dependency footprint.

Another important finding of the report is that 56% of reported library vulnerabilities exist in phantom dependencies. This issue is critical as it highlights the importance of including phantom dependencies in security assessments. Interestingly, updates to non-vulnerable component versions often require a major version upgrade. Of the 1,250 updates examined, 24% necessitated significant overhauls, while only 6% could be addressed with minor or patch version updates.

Utilising the Exploit Prediction Scoring System (EPSS) for prioritisation is also noted as a beneficial approach. The report indicates that with EPSS, 80% of reachable vulnerabilities have a 1% or less predicted chance of being exploited.

These findings offer deep insights into the current state of open source dependency management and highlight the areas that organisations should focus on to enhance their security strategies.