Contrast Security Study Exposes Significant Time and Resource Drain in Software Supply Chain Security
2021 State of Open-source Security Report From Contrast Labs Reveals That Less Than 10% of Application Code is Active Third-Party Library Code
LOS ALTOS, Calif., April 8, 2021 /PRNewswire/ -- A new study by Contrast Security reveals that 62% of libraries found in applications are inactive — that is, are not used at all by the software. Additionally, in libraries that are active, 69% of library classes are not invoked by applications. Vulnerabilities in these unused portions of applications are reported as exploitable risk by legacy software composition analysis (SCA) tools. This exposes an organization to higher risk, operational inefficiency, and potential delays in software release cycles.
The 2021 State of Open-source Security Report was compiled by Contrast Security, the industry's only true application security platform. Its analysis is based on aggregate telemetry data from thousands of applications and application programming interfaces (APIs) protected by Contrast OSS and Contrast Assess. This methodology gives a rare glimpse into real-life software supply chains to assess the organizational risk posed by third-party libraries, and to identify best practices to minimize that risk.
Five Layers of Risk
Open-source libraries and frameworks are a critical element of the vast improvements in speed and efficiency of software factories over the past decade. Such code reuse is essential for integrated approaches like DevOps, but it is not without risk.
The report identifies and quantifies five layers of risk stemming from the use of third-party code: active and inactive libraries, active and inactive library classes, library age, open-source vulnerabilities, and license risk. "A key takeaway from the report is the critical need for a targeted approach to managing third-party software supply chain risks," said Jeff Williams, CTO and co-founder at Contrast Security. "Development and security teams expend significant time and resources remediating open-source vulnerabilities that pose no risk. Simply put, legacy SCA tools fail to provide the continuous open-source dependency observability demanded by modern software factories."