- Hidden dependencies have invisible risks in modern software systems, the report indicates
- Analysis in terms of function reduces unnecessary vulnerability fixes by 90%
- Advice delays leave the systems exposed to potential farms
Since organizations are increasingly counting on third -party components and open source libraries to accelerate development processes, experts have warned the fight against security risks associated with these dependencies have become an important priority.
The endor Labs dependencies management report in 2024 explores the evolution of challenges in the management of dependencies and software vulnerabilities, and the analysis of seven programming languages (Java, Python, Rust, Go, C #,. Net, Kotlin and Scala) found less than 9.5% of vulnerabilities in vulnerabilities in 2024, were considered “real threats”.
“Many organizations are struggling to manage the risks of dependence,” noted Darren Meyer, staff research engineer at Slebs Labs. “They drown in vulnerability alerts, many of which do not represent the relevant risk; the search for alerts is expensive for security teams (and software teams), and trying to repair everything is even more expensive.”
Dependencies management
Dependencies management is not a simple task because most software projects are based on several dependence layers, including code libraries, executives and operational dependencies that support production environments, creating a network of Interconnected components – and any vulnerability in this web could expose an organization to significant security risks.
The use of third -party components, in particular open source software, is a common practice in the development of modern software because it reduces the time that developers must spend writing fundamental code, offering predefined features that accelerate development cycles – But also provides unique safety challenges due to vulnerabilities in these external components.
Many security problems arise from “ghost dependencies” or hidden components that are not explicitly documented in the software code and can introduce vulnerabilities that traditional tools fail to detect.
These vulnerabilities are not helped by the fact that almost 70% of lawyers issued by vulnerability management platforms, such as NIST de NIST, are published after the publication of the corresponding security fix, with a median period of 25 days.
Endor also claims that almost half of the opinions in public vulnerability databases lack details at the code level, while only 2% provide information on the vulnerability specific to the function, which makes it difficult for teams Safety to determine whether known vulnerabilities can be used in their applications.
In addition, endor analysis from 1,250 updates of vulnerable versions to non -vulnerable versions shows that 24% of fixes require major version update while 6% of vulnerabilities could be corrected with updates minors or at the patch level.
Endor therefore maintains that all vulnerabilities do not have the same level of risk, organizations being advisable to focus on the most accessible and most exploitable vulnerabilities, because only 9.5% of the vulnerabilities of dependencies are exploitable at the level of function.
The analysis of childbirth, which determines whether a vulnerable function in dependence is called by the application code, appears to be one of the most effective methods to reduce noise in the declaration of vulnerability. By focusing on vulnerabilities that have a clear route to exploitation, organizations can reduce their sanitation efforts by almost 90%, according to the report.
