Endor Labs’ 2024 Dependency Management Report consolidates a wealth of original and third-party research, offering a detailed look at the state of security in the software dependency lifecycle. The report, based on an analysis of Endor Labs vulnerability data, the Open-Source Vulnerabilities (OSV) database, and information from Endor Labs customer tenants, reveals that the costs associated with dependency risk remediation are alarmingly high.
Darren Meyer, a staff research engineer at Endor Labs, notes that many organizations are grappling with managing dependency risks. The inundation of vulnerability alerts, many of which do not represent relevant risk, is proving costly for security and software teams. The report underscores the importance of analysis-based vulnerability prioritization in managing these challenges.
The Value of Function-Level Reachability Analysis
The report finds that function-level reachability analysis remains the most effective strategy for reducing noise and cutting remediation costs. This approach is effective in fewer than 9.5% of all vulnerabilities in the seven languages explored—Java, Python, Rust, Go, C#, .NET, Kotlin, and Scala. By reducing the number of remediation activities, organizations can cut remediation costs by over 90.5%.
The report also highlights the need for a swift response to emerging risks. It reveals that nearly 70% of vulnerability advisories are published after the corresponding security release, with a median delay of 25 days. This delay widens the window of opportunity for attackers to exploit vulnerable systems.
The report further reveals that 47% of advisories in public vulnerability databases do not contain any code-level vulnerability information. This lack of information hampers the application of program analysis techniques, making it nearly impossible to determine whether known-vulnerable functions can be executed in the context of a downstream application.
In light of the insights provided by Endor Labs’ 2024 report, it is evident that the landscape of open-source software dependency management is complex and fraught with challenges. Organizations must prioritize analysis-based vulnerability remediation strategies to effectively mitigate risks and reduce costs. By adopting function-level reachability analysis and responding swiftly to emerging threats, companies can enhance the security of their software ecosystems and protect against potential exploits.
