Typically, applications contain both custom code – the code developed by an organization – and third-party libraries. Contrast Labs found that custom code represents an average of 21 percent of an application's code, and libraries occupy the remaining majority (79 percent) of the overall application. The average application contains 26.7 custom code vulnerabilities, as compared to just 2.0 common vulnerabilities and exposures (CVEs) in library code. As such, custom code accounts for 93 percent of an application's overall vulnerabilities.
"You shouldn't ignore vulnerabilities in your libraries – they can be quite serious. But your custom code is far more likely to have serious vulnerabilities, and so you should spend the vast majority of your security time and effort on your own source code," said Jeff Williams, CTO and cofounder of Contrast Security. "Don't panic if your open-source project reports vulnerabilities. Healthy software projects discover vulnerabilities and fix them frequently. The absence of vulnerability reports likely means that the software hasn't undergone thorough security testing."
Library Code Usage: Upending the Application Iceberg When investigating libraries, Contrast Labs defined usage in two ways: library utilization, which represents libraries with at least one class invoked by the application, and class utilization, referring to the percentage of classes invoked within a utilized library. When looking closer at an application's codebase, the largest segment represents libraries with classes that are never called. Contrast Labs found that unused libraries account for 42 percent of an application's library code. This means the common "iceberg" view of applications – with the vast majority of code being libraries – doesn't reflect that most libraries actually represent unused code.
Library CVEs by Language The report found that library usage in applications may vary widely across programming languages. On average, Java applications leverage 107 libraries, while .NET applications leverage 19 libraries. This stark difference is due to Java's open ecosystem with many different versions of similar libraries, whereas .NET applications rely more heavily on common libraries for Microsoft. For Java, unused libraries account for 52.2 percent of the average application, while they represent only 30.7 percent of an average application for .NET. At least one vulnerable library is contained in 95 percent of Java applications in comparison to only nine percent for .NET.
Report Methodology Contrast Labs analyzed 1,857 software applications, which included several thousand different open source libraries, frameworks, and modules. The data for this study is gathered directly and continuously from within running applications and APIs using Contrast's security analysis and protection platform. This report highlights analytics gathered by the platform, as well as Contrast Labs' commitment to educating and improving the open-source community.
About Contrast Security Contrast Security is the world's leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast's patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development, to operations, to production. More information can be found at www.contrastsecurity.com or by following Contrast on Twitter at @ContrastSec.
For more information: Andrew Smith SHIFT Communications for Contrast Security [email protected] +1-415-591-8438