The 2023 Software Vulnerability Snapshot Report reveals a 14% decrease in the number of vulnerabilities found over the past two years
SUNNYVALE, California., November 14, 2023 /PRNewswire/ — Synopsys, Inc. (Nasdaq: SNPS) today published its 2023 Software Vulnerability Snapshot report. According to the data analyzed by the Synopsys Cybersecurity Research Center (CyRC), there has been a significant decline in vulnerabilities found in target applications – from 97% in 2020 to 83% in 2022 – an encouraging sign that code reviews, automated testing and continuous integration help reduce common programming errors.
The report details three years of data (2020 – 2022) from tests conducted by Synopsys Security Testing Services, with targets consisting of web applications, mobile applications, network systems and source code. Tests are designed to examine running applications as a real attacker would, using multiple security testing techniques including penetration testing (pen testing), dynamic application security testing (DAST), mobile application security testing (MAST), and network security testing.
While this is a positive development for the industry, the data also shows that relying on a single security testing solution, such as static application security testing (SAST), is no longer a sufficient approach. For example, server misconfigurations represented an average of 18% of the total vulnerabilities found during the three years of testing. Without a multi-layered security approach that combines SAST to identify coding flaws, DAST to examine running applications, SCA to identify vulnerabilities introduced by third-party components, and penetration testing to identify issues that may have been missed by internal testing, these types of vulnerabilities are likely to remain unchecked.
“For the first time in years, we are seeing a decrease in the number of known software vulnerabilities, providing new hope that organizations are taking security seriously and prioritizing a strategic and holistic approach to software security to make a lasting impact,” said Jason Schmitt, Managing Director of Synopsys Software Integrity Group. “As hackers have become more sophisticated, a multi-layered security approach is needed more than ever to identify where software risks live and protect businesses from exploitation.”
Additional findings include
- High severity vulnerabilities are less likely: On average over the past three years, 92% of tests revealed some form of vulnerability. However, only 27% of those tests contained high-severity vulnerabilities, and 6.2% contained critical-severity vulnerabilities.
- Leaked information remains a major risk: The main security issue that has emerged has remained unchanged between 2020 and 2022: information leakage, a major security problem that occurs when sensitive information is exposed to unauthorized parties. On average, 19% of total vulnerabilities were directly related to information leakage issues.
- Cross-site scripting is on the rise: Of all high-risk vulnerabilities found in 2022, 19% were found to be susceptible to cross-site scripting attacks.
- Third-party software poses increased risks: Among the top 10 security vulnerabilities in 2022, 25% of tests conducted found vulnerable third-party libraries posed a risk. Software is likely to be vulnerable if you do not know the versions of all components used, including third-party and open source components.
For more information, download the 2023 Software Vulnerability Snapshot: A Three-Year Analysis of the 10 Most Common Web and Software Application Vulnerabilities or read the detailed blog post.
About the Synopsys Software Integrity Group
Synopsys Software Integrity Group provides integrated solutions that transform the way development teams build and deliver software, accelerating innovation while addressing business risk. Our industry-leading portfolio of software security products and services is the most comprehensive in the world and works with third-party and open source tools, allowing organizations to leverage existing investments to build the security program that best suits them. Only Synopsys offers everything you need to build trust in your software. For more information, visit www.synopsys.com/software.
Synopsys, Inc. (Nasdaq: SNPS) is the Silicon to Software™ partner for innovative companies developing the electronic products and software applications we rely on every day. An S&P 500 company, Synopsys has a long history as a global leader in electronic design automation (EDA) and semiconductor IP and offers the industry’s broadest portfolio of application security testing tools and services. Whether you are a system-on-chip (SoC) designer creating advanced semiconductors, or a software developer writing more secure, high-quality code, Synopsys has the solutions needed to deliver innovative products. More information can be found at www.synopsys.com.
Editorial contact person:
SOURCE Synopsys, Inc.