Although third-party software libraries represent a majority (79%) of an application’s code and are widely seen as a weak link when it comes to app security, recent research shows that they account for less than 7% of any given app’s vulnerabilities.
According to Contrast Labs at Contrast Security, applications contain both custom code – the code developed by an organization – and third-party libraries, which are often open-source. The research found that custom code represents an average of 21% of an application’s code, and libraries occupy the remaining majority of the overall application. The average application contains 26.7 custom code vulnerabilities, as compared to just two common vulnerabilities and exposures (CVEs) in library code. As such, custom code accounts for 93% of an application’s overall vulnerabilities.
That said, organizations should be vigilant in terms of library flaws as their impact can be several orders of magnitude larger than flawed bespoke parts of an app. Unlike custom code, one open-source flaw can result in tens of millions of vulnerable devices thanks to code re-use, as seen recently with Devil’s Ivy.
“You shouldn’t ignore vulnerabilities in your libraries – they can be quite serious. But your custom code is far more likely to have serious vulnerabilities, and so you should spend the vast majority of your security time and effort on your own source code,” said Jeff Williams, CTO and co-founder of Contrast Security. “Don’t panic if your open-source project reports vulnerabilities. Healthy software projects discover vulnerabilities and fix them frequently. The absence of vulnerability reports likely means that the software hasn’t undergone thorough security testing.”
When investigating libraries, Contrast Labs defined usage in two ways: Library utilization, which represents libraries with at least one class invoked by the application, and class utilization, referring to the percentage of classes invoked within a utilized library. When looking closer at an application’s codebase, the largest segment represents libraries with classes that are never called. Contrast Labs found that unused libraries account for 42% of an application’s library code. This means the common “iceberg” view of applications – with the vast majority of code being libraries – doesn’t reflect that most libraries actually represent unused code.
The report also found that library usage in applications may vary widely across programming languages. On average, Java applications leverage 107 libraries, while .NET applications leverage 19 libraries. This stark difference is due to Java’s open ecosystem with many different versions of similar libraries, whereas .NET applications rely more heavily on common libraries for Microsoft.
For Java, unused libraries account for 52.2% of the average application, while they represent only 30.7% of an average application for .NET. At least one vulnerable library is contained in 95% of Java applications in comparison to only 9% for .NET.