Endor Labs released the 2024 Dependency Management Report, which consolidates extensive original and third-party research into the current state of security in the software dependency lifecycle that represents the foundation for all application development. The research is based on analysis of Endor Labs vulnerability data, the Open-Source Vulnerabilities (OSV) database for comparison, information from Endor Labs customer tenants and Java ARchives (JARs) of hundreds of versions of the top 15 open-source dependencies to compute breaking changes. The third annual report from Endor Labs reveals that while remediation costs for dependency risks are perilously high, function-level reachability analysis still offers the best value in this critical area.
Darren Meyer, staff research engineer at Endor Labs say, “A lot of organizations are struggling with managing dependency risks. They're drowning in vulnerability alerts, many of which don't represent relevant risk; researching the alerts is expensive for security teams (and software teams), and trying to fix everything is even more expensive. Endor Labs research shows that analysis-based vulnerability prioritization has become a critical capability because of this, and highlights other trends and challenges related to dependency management.”
Key Takeaways:
- The Endor Labs report finds this to be true in fewer than 9.5% of all vulnerabilities in the seven languages explored—Java, Python, Rust, Go, C#, .NET, Kotlin and Scala. Therefore, reducing the number of remediation activities needed can slash remediation costs by over 90.5%. Perhaps best of all, this is done with just this one prioritization factor, which makes it by far the most valuable single noise-reduction strategy available anywhere.
- The research also turns a spotlight on the speed of response to emerging risks. It reveals that nearly 70% of vulnerability advisories are published after the corresponding security release, with a median delay of 25 days. This increases the existing window of opportunity for attackers to exploit vulnerable systems.
- The problems go even deeper: Across six ecosystems explored, 47% of advisories in public vulnerability databases do not contain any code-level vulnerability information at all; 51% contain one or more references to fix commits; and only 2% contain information about affected functions. This is a serious drawback because the application of program analysis techniques requires code-level information about vulnerabilities, such as the names of affected functions or the fix commits that were developed by open-source project maintainers to overcome a vulnerability. Without this kind of information, it’s effectively impossible to establish whether known-vulnerable functions can be executed in the context of a downstream application.