- Hidden dependencies pose unseen risks in modern software systems, report says
- Analysis at functional level cuts unnecessary vulnerability fixes by 90%
- Advisory delays leave systems exposed to potential exploits
As organizations are increasingly dependent on third-party components and open source libraries to accelerate development processes, experts have warned that the security risks associated with these dependencies have become a significant priority.
ENDOR LABS ‘2024 Dependency Management Report Explores the evolving challenges in the management of software dependents and vulnerabilities and analysis of seven programming languages (Java, Python, Rust, GO, C#, .Net, Kotlin and Scala) found fewer than 9.5% of vulnerability in 2024 was considered ‘real threats’.
“Many organizations are struggling to manage addiction risks,” noted Darren Meyer, staff research engineer at Endor Labs. “They are drowning in vulnerability warnings, many of which do not represent relevant risk; Examining the alarms is expensive for security teams (and software teams) and it is even more expensive to try to solve everything. “
Addiction management
Handling of dependencies is not a simple task as most software projects depend on several layers of dependencies, including first -party code libraries, frames and operational dependencies that support production environments, creating a web of interconnected components – and any vulnerability within this web can postpone an organization for significant security risks.
The use of third-party components, especially open source software, is a common practice in modern software development because it reduces the time that developers need to spend on writing basic code, and offers pre-built functionalities that speed up development cycles-but Also brings unique security challenges due to vulnerabilities in these external components.
Many security questions come from “phantom addictions” or hidden components that are not explicitly documented in the software code and can introduce vulnerabilities that traditional tools do not detect.
These vulnerabilities did not help the fact that almost 70% of counseling issued by vulnerability management platforms, such as NISTS NVD, is published after the corresponding security right is released, with a median delay of 25 days.
Endor also claims that almost half of the public vulnerability databases are missing cod -level details, while only 2% provide function -specific vulnerability information, making it difficult for security teams to determine whether known vulnerabilities can be utilized in their applications.
In addition, endor analysis from 1,250 updates from vulnerable to non-vulnerable versions shows that 24% of the corrections require a larger version update, while 6% of the vulnerabilities could be corrected with minor updates or patch-level updates.
Endor therefore claims that not all vulnerabilities are the same level of risk where organizations are advised to focus on the most accessible and utilizable vulnerabilities, since only approx. 9.5% of the vulnerabilities in dependencies are utilized at the functional level.
Reachability analysis that determines whether a vulnerable function in an addiction is called by the application code appears as one of the most effective methods of reducing noise in vulnerability reporting. By focusing on vulnerabilities that have a clear path to being exploited, organizations can reduce their remediation efforts by almost 90%, according to the report.
