By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
18px_cookie
e-remove

Endor Labs’ ‘State of Dependency Management 2023’ Report Offers Insight on Explosive Popularity of AI and LLMs—and How They Impact Application Security

The State of Dependency Management 2023 reports on the latest research on dependency management and how AI is impacting the application security landscape.

The State of Dependency Management 2023 reports on the latest research on dependency management and how AI is impacting the application security landscape.

The State of Dependency Management 2023 reports on the latest research on dependency management and how AI is impacting the application security landscape.

Written by
A photo of Ron Harnik — VP Marketing at Endor Labs.
Ron Harnik
Published on
July 20, 2023
Topics

The State of Dependency Management 2023 reports on the latest research on dependency management and how AI is impacting the application security landscape.

The State of Dependency Management 2023 reports on the latest research on dependency management and how AI is impacting the application security landscape.

PALO ALTO, CA (July 19, 2023) -- Endor Labs, creator of the Code Governance Platform, today released “State of Dependency Management 2023,” a new research report exploring emerging trends that software organizations need to consider as part of their security strategy, and risks associated with the use of existing open source software (OSS) in application development. In particular, as modern software development increasingly adopts distributed architectures and microservices alongside third party and open source components, the report tracks the astonishing popularity of ChatGPT’s API, how current large language model (LLM)-based AI platforms are unable to accurately classify malware risk in most cases, and how almost half of all applications make no calls at all to security-sensitive APIs in their code base. The report emphasizes how these issues need to be prioritized in every organization’s security strategy.

Endor Labs’ ‘State Of Dependency Management 2023’ was compiled by Station 9, the company’s unique research team, which brings together software development and security specialists from different industries and around the world to explore the complexities of supply chain security and the use of open source software in the enterprise, and provide guidelines and best practices for selecting, securing, and maintaining OSS.

“The fact that there’s been such a rapid expansion of new technologies related to Artificial Intelligence, and that these capabilities are being integrated into so many other applications, is truly remarkable—but it’s equally important to monitor the risks they bring with them,” said Henrik Plate, lead security researcher at Endor Labs Station9. “These advances can cause considerable harm if the packages selected introduce malware and other risks to the software supply chain. This report offers an early look into this critical function, just as early adopters of matching security protocols will benefit most from these capabilities.” 

Key Insights in 2023

The report reveals that: 

  • Existing LLM technologies still can’t be used to reliably assist in malware detection and scale–in fact, they accurately classify malware risk in barely 5% of all cases. They have value in manual workflows, but will likely never be fully reliable in autonomous workflows. That’s because they can’t be trained to recognize novel approaches, such as those derived through LLM recommendations
  • 45% of applications have no calls to security-sensitive APIs in their code base, but that number actually drops to 5% when dependencies are included. Organizations routinely underestimate risk when they don’t analyze their use of such APIs through open source dependencies
  • Even though 71% of typical Java application code is from open source components, applications use only 12% of imported code. Vulnerabilities in unused code are rarely exploitable; organizations can eliminate or de-prioritize 60% of remediation work with reliable insights into which code is reachable throughout an application.

It’s been barely five months since ChatGPT’s API was released, but Endor Labs’ research has already identified that it’s used in 900 npm and PyPi packages across diverse problem domains. 75% of those are brand new packages. While the advances are undeniable, organizations of all sizes need to practice due diligence when selecting packages. That’s because the combination of extreme popularity and a lack of historical data represents fertile ground for potential attacks. 

Focusing specifically on LLM applications in security, the research uncovers how LLM can effectively create and hide malware, and even become a nemesis to defensive LLM applications. Given this landscape, organizations will need to document the components and vulnerabilities their applications include, such as through a Software Bill of Materials (SBOM). Applications typically use only a small percentage of the open source components they integrate, while developers seldom understand the torrent of dependencies in each of those components.

To satisfy transparency requirements and protect the brand, it’s important for organizations to go beyond standard SBOMs. They need to understand not only the list of components but also how they’re being used within their applications, and which vulnerabilities are exploitable. This will enable a better understanding of risk, improve productivity and reduce cost.

Read the full report here.

About Endor Labs

Endor Labs helps developers and security teams spend less time dealing with security issues and more time accelerating development through safe Open Source Software (OSS) adoption. Our Code Governance Platform helps organizations prioritize risk across open source software and CI/CD pipelines, and meet compliance objectives such as SBOMs. The Endor Labs engineering team includes some of the world’s leading static analysis experts, including 7 PhDs and senior engineers from Meta, Uber, Amazon, and Microsoft. Endor Labs was founded by industry veterans Varun Badhwar and Dimitri Stiliadis, and is backed by Lightspeed & Dell Technologies Capital, as well as executives at companies like Palo Alto Networks, Zscaler, Zoom, Google, and more.

Press Contact

CONTOS DUNNE COMMUNICATIONS

endorlabs@cdc.agency

+1 (408) 776 1400 +1 (408) 893 8750

The Challenge

The Solution

The Impact

Get new posts in your inbox.

Get new posts in your inbox.

Get new posts in your inbox.

Welcome to the resistance
Oops! Something went wrong while submitting the form.

Get new posts in your inbox.

Get new posts in your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get new posts in your inbox.