As modern applications become more dependent on open source components, one of the biggest challenges we’re currently facing is with stale dependencies. Stale dependencies are when an application’s open source components become outdated and are not getting the bug or security fixes that have been addressed by their newer versions. Keeping open source components up to date is not a trivial task as new versions are occasionally not backwards compatible. They can introduce breaking changes, and there is potentially a huge economic cost associated with it. However, as open source components make up a significant portion of an application’s code, that is usually where most of the security vulnerabilities reside. Letting dependencies become stale and only addressing them once a security vulnerability has been detected is disruptive and slows development significantly. While open source components allow applications to be developed quickly, the associated maintenance effort required is often neglected. This is commonly referred to as the open source “tax.” What organizations need to be doing is scheduling work to address this “tax” on a regular basis. A best practice approach is to mandate that applications must not have stale dependencies when released. In addition, time must be set aside to address stale dependencies in the other applications, which are not actively being developed. The benefit of reducing stale dependencies is the reduction in the number of future security vulnerabilities and also in the time required to address them.
As the bulk of modern applications are created using open source components, doing due diligence during the open source selection process and dealing with stale dependencies will address a large number of potential security vulnerabilities. These additional controls, coupled with other vulnerability scanners, automated security scanning tools and penetration testing will help to speed up development, create more secure applications and reduce business risks. The future of application security is to shift further left.