Research finds vulnerabilities in 97 percent of applications
Data from 3,900 tests conducted on 2,600 software or systems targets reveals that 97 percent had some form of vulnerability, 30 percent of the targets had high-risk vulnerabilities, and six percent had critical-risk vulnerabilities.
In the research from Synopsys 83 percent of the tested targets were web applications or systems, 12 percent mobile applications, and the remainder either source code or network systems/applications. Industries represented in the tests include software and internet, financial services, business services, manufacturing, media and entertainment, and healthcare.
"Cloud-based deployments, modern technology frameworks, and the rapid pace of delivery is forcing security groups to react more quickly as software is released," says Girish Janardhanudu, vice president, security consulting at Synopsys Software Integrity Group. "With insufficient AppSec resources in the market, organizations are leveraging application testing services such as those Synopsys provides in order to flexibly scale their security testing. We've seen a heavy increase in assessment demand throughout the pandemic."
OWASP top 10 vulnerabilities were discovered in 76 percent of the targets, while application and server misconfigurations were 21 percent of the overall vulnerabilities found.
On mobile applications 80 percent of the discovered vulnerabilities relate to insecure data storage which could allow an attacker to gain access to a mobile device either physically or through malware. 53 percent of the mobile tests uncovered vulnerabilities associated with insecure communications.
Although 64 percent of vulnerabilities discovered in the tests are considered minimal-, low-, or medium-risk, even these can be exploited to facilitate attacks so uncovering them is not a wasted exercise.
Vulnerable third-party libraries were found in 18 percent of the penetration tests conducted, highlighting the need for a software bill of materials to track the use of components.
The full report is available from the Synopsys site.
Image credit: billiondigital/depositphotos.com