PRESS RELEASE: Software Libraries Represent Just Seven percent of Application Vulnerabilities

Los Altos, Calif. – July 24, 2017 – Contrast Labs, the research arm of Contrast Security, the first company to enable self-protecting software, today announced its State of Application Security: Libraries & Software Composition Analysis Report. The data reveals that although third-party software libraries represent a majority (79 percent) of an application’s code, they account for less than seven percent of an application’s vulnerabilities.

Typically, applications contain both custom code – the code developed by an organization – and third-party libraries. Contrast Labs found that custom code represents an average of 21 percent of an application’s code, and libraries occupy the remaining majority (79 percent) of the overall application. The average application contains 26.7 custom code vulnerabilities, as compared to just 2.0 common vulnerabilities and exposures (CVEs) in library code. As such, custom code accounts for 93 percent of an application’s overall vulnerabilities.

“You shouldn’t ignore vulnerabilities in your libraries – they can be quite serious. But your custom code is far more likely to have serious vulnerabilities, and so you should spend the vast majority of your security time and effort on your own source code,” said Jeff Williams, CTO and cofounder of Contrast Security. “Don’t panic if your open-source project reports vulnerabilities. Healthy software projects discover vulnerabilities and fix them frequently. The absence of vulnerability reports likely means that the software hasn’t undergone thorough security testing.” 

Library Code Usage: Upending the Application Iceberg

When investigating libraries, Contrast Labs defined usage in two ways: library utilization, which represents libraries with at least one class invoked by the application, and class utilization, referring to the percentage of classes invoked within a utilized library. When looking closer at an application’s codebase, the largest segment represents libraries with classes that are never called. Contrast Labs found that unused libraries account for 42 percent of an application’s library code. This means the common “iceberg” view of applications – with the vast majority of code being libraries – doesn’t reflect that most libraries actually represent unused code. 

Library CVEs by Language

The report found that library usage in applications may vary widely across programming languages. On average, Java applications leverage 107 libraries, while .NET applications leverage 19 libraries. This stark difference is due to Java’s open ecosystem with many different versions of similar libraries, whereas .NET applications rely more heavily on common libraries for Microsoft. For Java, unused libraries account for 52.2 percent of the average application, while they represent only 30.7 percent of an average application for .NET. At least one vulnerable library is contained in 95 percent of Java applications in comparison to only nine percent for .NET.

Contrast Security is a strong supporter of open source and has several dozen open-source security projects available. For more information, please visit:

Report Methodology

Contrast Labs analyzed 1,857 software applications, which included several thousand different open source libraries, frameworks, and modules. The data for this study is gathered directly and continuously from within running applications and APIs using Contrast’s security analysis and protection platform. This report highlights analytics gathered by the platform, as well as Contrast Labs’ commitment to educating and improving the open-source community.


About Contrast Security
Contrast Security is the world’s leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast's patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development, to operations, to production. More information can be found at or by following Contrast on Twitter at @ContrastSec.

# # #

For more information:
Andrew Smith
SHIFT Communications for Contrast Security

Mark Hodgson, Vice President of Marketing

Mark Hodgson, Vice President of Marketing

Mark's extensive experience spans over 28 years in marketing high-tech products and services to consumers and corporations. Specific area of expertise is application security and mobile application security.


Jacklyn Kellick 
Public Relations Manager


Learn how to unify security strategy across & development operations. See how to set up a CAS program with only eight activities!

Download the Handbook