Software composition analysis tools analyze your code and are able to pick out components that are vulnerable. This speeds up the process of detecting vulnerabilities from your site as well as reducing the risk of human error. “Most of the companies that offer software composition analysis tools offer proactive alerting so you don’t even have to be watching it,” says Amy DeMartine, an analyst at Forrester. “They’ll tell you when a new vulnerability gets announced for a version of a component you’re using.”
The Northeastern University study found that the median website in its dataset used a library version that was “1,177 days older than the newest release.” Switching to a newer version takes time because testing needs to be done to ensure the newest version is compatible with the existing application or site.
Constantly updating to newer versions of libraries could prevent developers from putting their time into new projects, but not keeping current sites free from vulnerabilities is also problematic.
If you have a vulnerable site, people are going to stop visiting it, Dayaratna claims. This will cancel out any cost-savings you gained from not updating your site properly.