Endor Labs has introduced “The 2024 Dependency Management Report.” The document offers a C-suite perspective into potential vulnerabilities within open-source dependencies or software packages. Additionally, the report reveals that while remediation costs for dependency risks are perilously high, function-level reachability analysis still offers the best value in this critical area.
Survey Methodology
To create the report, Endor consolidated original and third-party research. The data is based on analysis of Endor Labs vulnerability data, the Open Source Vulnerabilities (OSV) database for comparison, information from Endor Labs customer tenants, and Java ARchives (JARs) of hundreds of versions of the top 15 open source dependencies to compute breaking changes.
Read More: Research Uncovers Major Challenges in Cyber Investigations
Key Takeaways
- Less than 9.5% of vulnerabilities are exploitable at the function level
- Nearly 70% of vulnerability advisories are published after the corresponding security release, with a median delay of 25 days
- 47% of advisories in public vulnerability databases do not contain any code-level vulnerability information at all; 51% contain one or more references to fix commits; and only 2% contain information about affected functions
On Record
In a recent quote, Darren Meyer, staff research engineer at Endor Labs, said, “A lot of organizations are struggling with managing dependency risks. They’re drowning in vulnerability alerts, many of which don’t represent relevant risk; researching the alerts is expensive for security teams (and software teams), and trying to fix everything is even more expensive. Endor Labs research shows that analysis-based vulnerability prioritization has become a critical capability because of this, and highlights other trends and challenges related to dependency management.”
