Contrast Security Study Exposes Significant Time and Resource Drain in Software Supply Chain Security
2021 State of Open-source Security Report From Contrast Labs Reveals That Less Than 10% of Application Code is Active Third-Party Library Code
LOS ALTOS, Calif., April 8, 2021 - A new study by Contrast Security reveals that 62% of libraries found in applications are inactive — that is, are not used at all by the software. Additionally, in libraries that are active, 69% of library classes are not invoked by applications. Vulnerabilities in these unused portions of applications are reported as exploitable risk by legacy software composition analysis (SCA) tools. This exposes an organization to higher risk, operational inefficiency, and potential delays in software release cycles.
The 2021 State of Open-source Security Report was compiled by Contrast Security, the industry's only true application security platform. Its analysis is based on aggregate telemetry data from thousands of applications and application programming interfaces (APIs) protected by Contrast OSS and Contrast Assess. This methodology gives a rare glimpse into real-life software supply chains to assess the organizational risk posed by third-party libraries, and to identify best practices to minimize that risk.
Five Layers of Risk
Open-source libraries and frameworks are a critical element of the vast improvements in speed and efficiency of software factories over the past decade. Such code reuse is essential for integrated approaches like DevOps, but it is not without risk.
The report identifies and quantifies five layers of risk stemming from the use of third-party code: active and inactive libraries, active and inactive library classes, library age, open-source vulnerabilities, and license risk. "A key takeaway from the report is the critical need for a targeted approach to managing third-party software supply chain risks," said Jeff Williams, CTO and co-founder at Contrast Security. "Development and security teams expend significant time and resources remediating open-source vulnerabilities that pose no risk. Simply put, legacy SCA tools fail to provide the continuous open-source dependency observability demanded by modern software factories."
1. Active and Inactive Libraries: A Need for Observability
Data from Contrast Labs reveals that 62% of libraries found in applications are inactive — that is, not used by the software in any way. When a developer uses a library for a certain function, additional libraries are imported into the application that have nothing to do with that function. This creates complex dependency trees, and sorting out which libraries are active and inactive requires runtime visibility into routes taken by the software.
2. Active and Inactive Library Classes: More Layers of Unused Code
Even in active libraries, applications typically use only some parts of that library — known as classes. Even within active libraries, an average of only 31% of classes is invoked, leaving 69% unused. This also means that less than 10% of application code is active third-party library code. Again, determining which library classes pose potential risk requires observability into how the application interacts with the library classes.
3. Library Age: Risk Increases With Time
The average library version used in applications in the dataset was released 2.6 years ago. And while 28% of active libraries are less than a year old, 31% are more than two years old.
While it is not always advisable to use the very latest version of a library, allowing them to sit for years without being updated creates problems. For example, Contrast Labs data indicates that the odds of a Critical or Major vulnerability increases from 3% for libraries that are one year old to 13% for those that are five years old. In addition, the more changes between the library in use and the latest version, the more testing that is needed and the greater the likelihood that the change breaks the application — thus resulting in unplanned or unscheduled work.
4. Vulnerabilities: Too Many False Positives
While the average application contains 34 Common Vulnerabilities and Exposures (CVEs) from third-party libraries, an average 23% of these CVEs — and 18% of those categorized as Critical and Major — are found in inactive libraries and classes. These non-risky vulnerabilities are false positives when they appear alongside other vulnerabilities in reports compiled by legacy SCA tools.
"Vulnerabilities in inactive libraries and classes pose zero risk to an application, yet companies waste hours of time remediating them," said David Lindner, CISO and Head of Contrast Labs at Contrast Security. "Without observability into which libraries and classes are invoked by the application, many hours of staff time can be wasted addressing vulnerabilities that pose no risk."
5. License Risk: Potential Legal and Operational Pitfalls
Each third-party library should have some sort of license. Permissive licenses pose little or no risk, while copyleft licenses can require that an entire application be made open source — even if the library covered by the license provides only a very small part of the application's functionality. Contrast Labs data shows that license risk is quite high, with 69% of Java applications containing at least one high-risk license — and 95% containing a license of variable or unknown risk. "The license is legal protection against improper use of a library," said Lindner. "Licenses applied to a third-party library can change at any time, and keeping on top of not only current licenses but future licenses is a largely unmanaged risk for many organizations."
The 2021 State of Open-source Security Report highlights the increasing complexity of the software supply chain in modern software factories. Such complexity can increase risk, and organizations need to ensure that they have a strategy to mitigate the five layers of risk detailed in the report. This includes the following:
- Setting comprehensive policies for libraries, frameworks, and licensing
- Establishing continuous observability into active and inactive libraries and classes, library age, vulnerabilities, and licenses
- Embedding controls in continuous integration/continuous deployment (CI/CD) processes
"Recent exploitation of the software factory accentuates the critical need to secure the software supply chain," said Williams. "Findings from this report unequivocally demonstrate that traditional approaches to application security simply will not scale to address the business acceleration required by digital transformation while also protecting the software supply chain from malicious threats. Modern application security must focus on only vulnerabilities that pose risk."
About Contrast Security: Contrast Security is the leader in modernized application security, embedding code analysis and attack prevention directly into software. Contrast's patented deep security instrumentation completely disrupts traditional application security approaches with integrated, comprehensive security observability that delivers highly accurate assessment and continuous protection of an entire application portfolio. This eliminates the need for disruptive scanning, expensive infrastructure workloads, and specialized security experts. The Contrast Application Security Platform accelerates development cycles, improves efficiencies and cost, and enables rapid scale while protecting applications from known and unknown threats.
Recent Press Releases
Contrast Security Rolls Out Open Source Software Sponsorship Program to Support Developers
Contrast Security to Address Serverless Application Vulnerabilities and Risks Enterprises Face Today at AWS re:Invent
Contrast Security SVP of Cyber Strategy Joins The Wall Street Journal Risk & Compliance Forum to Dissect New Government Regulations and Enforced Critical Infrastructure Cybersecurity Best Practices.
Award and Recognition
Contrast Security Makes Its Debut on the Inc. 5000 List of America’s Fastest Growing Companies
Contrast Security Named Enterprise Security Tech Cyber Top 20 Company
Contrast Security Named Publisher’s Choice DevSecOps and Market Leader Software Development Lifecycle Security by Global InfoSec Awards