Contrast Security Study Exposes Significant Time and Resource Drain in Software Supply Chain Security

2021 State of Open-source Security Report From Contrast Labs Reveals That Less Than 10% of Application Code is Active Third-Party Library Code

LOS ALTOS, Calif., April 8, 2021 /PRNewswire/ -- A new study by Contrast Security reveals that 62% of libraries found in applications are inactive — that is, are not used at all by the software. Additionally, in libraries that are active, 69% of library classes are not invoked by applications. Vulnerabilities in these unused portions of applications are reported as exploitable risk by legacy software composition analysis (SCA) tools. This exposes an organization to higher risk, operational inefficiency, and potential delays in software release cycles.

The 2021 State of Open-source Security Report was compiled by Contrast Security, the industry's only true application security platform. Its analysis is based on aggregate telemetry data from thousands of applications and application programming interfaces (APIs) protected by Contrast OSS and Contrast Assess. This methodology gives a rare glimpse into real-life software supply chains to assess the organizational risk posed by third-party libraries, and to identify best practices to minimize that risk.

Five Layers of Risk

Open-source libraries and frameworks are a critical element of the vast improvements in speed and efficiency of software factories over the past decade. Such code reuse is essential for integrated approaches like DevOps, but it is not without risk.

The report identifies and quantifies five layers of risk stemming from the use of third-party code: active and inactive libraries, active and inactive library classes, library age, open-source vulnerabilities, and license risk. "A key takeaway from the report is the critical need for a targeted approach to managing third-party software supply chain risks," said Jeff Williams, CTO and co-founder at Contrast Security. "Development and security teams expend significant time and resources remediating open-source vulnerabilities that pose no risk. Simply put, legacy SCA tools fail to provide the continuous open-source dependency observability demanded by modern software factories."

1. Active and Inactive Libraries: A Need for Observability

Data from Contrast Labs reveals that 62% of libraries found in applications are inactive — that is, not used by the software in any way. When a developer uses a library for a certain function, additional libraries are imported into the application that have nothing to do with that function. This creates complex dependency trees, and sorting out which libraries are active and inactive requires runtime visibility into routes taken by the software.

2. Active and Inactive Library Classes: More Layers of Unused Code

Even in active libraries, applications typically use only some parts of that library — known as classes. Even within active libraries, an average of only 31% of classes is invoked, leaving 69% unused. This also means that less than 10% of application code is active third-party library code. Again, determining which library classes pose potential risk requires observability into how the application interacts with the library classes.

3. Library Age: Risk Increases With Time

The average library version used in applications in the dataset was released 2.6 years ago. And while 28% of active libraries are less than a year old, 31% are more than two years old.

While it is not always advisable to use the very latest version of a library, allowing them to sit for years without being updated creates problems. For example, Contrast Labs data indicates that the odds of a Critical or Major vulnerability increases from 3% for libraries that are one year old to 13% for those that are five years old. In addition, the more changes between the library in use and the latest version, the more testing that is needed and the greater the likelihood that the change breaks the application — thus resulting in unplanned or unscheduled work.

4. Vulnerabilities: Too Many False Positives

While the average application contains 34 Common Vulnerabilities and Exposures (CVEs) from third-party libraries, an average 23% of these CVEs — and 18% of those categorized as Critical and Major — are found in inactive libraries and classes. These non-risky vulnerabilities are false positives when they appear alongside other vulnerabilities in reports compiled by legacy SCA tools.

"Vulnerabilities in inactive libraries and classes pose zero risk to an application, yet companies waste hours of time remediating them," said David Lindner, CISO and Head of Contrast Labs at Contrast Security. "Without observability into which libraries and classes are invoked by the application, many hours of staff time can be wasted addressing vulnerabilities that pose no risk."

5. License Risk: Potential Legal and Operational Pitfalls

Each third-party library should have some sort of license. Permissive licenses pose little or no risk, while copyleft licenses can require that an entire application be made open source — even if the library covered by the license provides only a very small part of the application's functionality. Contrast Labs data shows that license risk is quite high, with 69% of Java applications containing at least one high-risk license — and 95% containing a license of variable or unknown risk. "The license is legal protection against improper use of a library," said Lindner. "Licenses applied to a third-party library can change at any time, and keeping on top of not only current licenses but future licenses is a largely unmanaged risk for many organizations."

The 2021 State of Open-source Security Report highlights the increasing complexity of the software supply chain in modern software factories. Such complexity can increase risk, and organizations need to ensure that they have a strategy to mitigate the five layers of risk detailed in the report. This includes the following:

• Setting comprehensive policies for libraries, frameworks, and licensing
• Establishing continuous observability into active and inactive libraries and classes, library age, vulnerabilities, and licenses
• Embedding controls in continuous integration/continuous deployment (CI/CD) processes

"Recent exploitation of the software factory accentuates the critical need to secure the software supply chain," said Williams. "Findings from this report unequivocally demonstrate that traditional approaches to application security simply will not scale to address the business acceleration required by digital transformation while also protecting the software supply chain from malicious threats. Modern application security must focus on only vulnerabilities that pose risk."

REPORT: 2021 State of Open-source Security Report

PODCAST: Breaking Down Findings & Insights from the Contrast Security 2021 Open-source Security Report

BLOG POST: Contrast Study Finds That 62% of Libraries are Inactive and 69% of Classes in Active Libraries are Never Invoked in Applications

About Contrast Security: Contrast Security is the leader in modernized application security, embedding code analysis and attack prevention directly into software. Contrast's patented deep security instrumentation completely disrupts traditional application security approaches with integrated, comprehensive security observability that delivers highly accurate assessment and continuous protection of an entire application portfolio. This eliminates the need for disruptive scanning, expensive infrastructure workloads, and specialized security experts. The Contrast Application Security Platform accelerates development cycles, improves efficiencies and cost, and enables rapid scale while protecting applications from known and unknown threats.

CONTACT:
Contrast Security
Patrick Spencer 
patrick.spencer@contrastsecurity.com
888-371-1333