Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more
According to a report by Synopsys, 97% of software and systems targets tested during 2020 were found to contain a vulnerability. Furthermore, 30% of the targets had high-risk vulnerabilities, which threat actors could exploit to access high-value resources, and 6% had critical-risk vulnerabilities, which could allow attackers to execute code and breach critical data on a web or mobile application or application servers.
Insecure data storage and communication vulnerabilities plague mobile applications. Eighty percent of the discovered vulnerabilities in the mobile tests were related to insecure data storage. These vulnerabilities could allow an attacker to gain access to a mobile device either physically (i.e., accessing a stolen device) or through malware. Fifty-three percent of the mobile tests uncovered vulnerabilities associated with insecure communications.
Moreover, application and server misconfigurations represented 21% of the overall vulnerabilities, 19% of the vulnerabilities identified were related to broken access control, and 28% of the total test targets had some exposure to cross-site scripting (XSS) attacks, which is one of the most prevalent and destructive vulnerabilities impacting web applications. Because many XSS vulnerabilities occur only when the application is running, the best approach to security testing is to leverage a broad spectrum of tooling solutions to ensure that an application or system is secure.
The industries represented in the tests included software and internet, financial services, business services, manufacturing, media and entertainment, and health care. Of the tested targets, 83% were web applications and systems, 12% were mobile apps, and the remainder were either source code or network systems or applications. Considering that these industries are heavily reliant on software, it’s crucial to prevent identified software vulnerabilities from severely impacting business.
The data was compiled based on 3,937 tests performed by Synopsys security consultants during customer engagements and include penetration testing, dynamic application security testing, and mobile application security analyses — all designed to confront running applications in the same fashion as a real-world attacker.
Read the full report by Synopsys.