Although third-party software libraries represent a majority of an application’s code, they account for less than seven percent of application vulnerabilities.
Typically, applications contain both custom code – the code developed by an organization – and third-party libraries. Contrast Labs analyzed 1,857 software applications, which included several thousand different open source libraries, frameworks, and modules, and found that custom code represents an average of 21 percent of an application’s code, and libraries occupy the remaining majority (79 percent) of the overall application.
The average application contains 26.7 custom code vulnerabilities, as compared to just 2.0 common vulnerabilities and exposures (CVEs) in library code. As such, custom code accounts for 93 percent of an application’s overall vulnerabilities.
“You shouldn’t ignore vulnerabilities in your libraries – they can be quite serious. But your custom code is far more likely to have serious vulnerabilities, and so you should spend the vast majority of your security time and effort on your own source code,” said Jeff Williams, CTO and cofounder of Contrast Security.
“Don’t panic if your open-source project reports vulnerabilities. Healthy software projects discover vulnerabilities and fix them frequently. The absence of vulnerability reports likely means that the software hasn’t undergone thorough security testing.”
Library code usage
When investigating libraries, Contrast Labs defined usage in two ways: library utilization, which represents libraries with at least one class invoked by the application, and class utilization, referring to the percentage of classes invoked within a utilized library. When looking closer at an application’s codebase, the largest segment represents libraries with classes that are never called.
The researchers found that unused libraries account for 42 percent of an application’s library code. This means the common “iceberg” view of applications – with the vast majority of code being libraries – doesn’t reflect that most libraries actually represent unused code.
Library CVEs by language
Library usage in applications may vary widely across programming languages. On average, Java applications leverage 107 libraries, while .NET applications leverage 19 libraries.
This stark difference is due to Java’s open ecosystem with many different versions of similar libraries, whereas .NET applications rely more heavily on common libraries for Microsoft.
For Java, unused libraries account for 52.2 percent of the average application, while they represent only 30.7 percent of an average application for .NET. At least one vulnerable library is contained in 95 percent of Java applications in comparison to only nine percent for .NET.