There has been a significant decrease in the number of vulnerabilities found in target applications – from 97% in 2020 to 83% in 2022 – an encouraging sign that code reviews, automated testing and continuous integration are helping reduce common programming errors, Synopsys said.
The report details three years of data (2020 – 2022) from tests conducted by Synopsys Security Testing Services, with targets consisting of web applications, mobile applications, network systems and source code.
Tests are designed to examine running applications as a real attacker would, using multiple security testing techniques including penetration testing (pen testing), dynamic application security testing (DAST), mobile application security testing (MAST), and network security testing.
While this is a positive development for the industry, the data also shows that relying on a single security testing solution, such as static application security testing (SAST), is no longer a sufficient approach.
For example, server misconfigurations represented an average of 18% of the total vulnerabilities found during the three years of testing. Without a multi-layered security approach that combines SAST to identify coding flaws, DAST to examine running applications, software composition analysis (SCA) to identify vulnerabilities introduced by third-party components, and penetration testing to identify issues that may have been overlooked by internal tests. these types of vulnerabilities are unlikely to be checked.
Decrease in known software vulnerabilities
Advances in programming languages and integrated development environments (IDEs) now provide built-in checks and tools to help developers catch bugs before they become major problems. In the case of popular open source projects, many communities have also increased their scrutiny of the code, leading to higher quality standards.
Unfortunately, the same cannot be said for less popular or older open source projects. According to some reports, nearly 20% of open source projects in Java and JavaScript that were maintained in 2022 are no longer maintained today, leaving these projects exposed to vulnerabilities and exploits.
With more and more attackers using automated exploitation tools that can attack thousands of systems in seconds, resolving high and critical risk vulnerabilities can become urgent when these vulnerabilities are discovered, not least because well over half of reported vulnerabilities is exploited within a week. of disclosure.
Security or vulnerability issues in deployed applications tend to go downhill, not only because of their potential to disrupt an organization’s (or its customers’) business operations, but also because of their impact on the entire SDLC, and by extension, on the software supply chain.
“For the first time in years, we are seeing a decrease in the number of known vulnerabilities in software, providing new hope that organizations are taking security seriously and prioritizing a strategic and holistic approach to software security to make a lasting impact,” said Jason Schmitt, GM of Synopsys Software Integrity Group. “As hackers have become more sophisticated, a multi-layered security approach is needed more than ever to identify where software risks live and protect businesses from exploitation.”
Leaked information remains a major risk
On average over the past three years, 92% of tests revealed some form of vulnerability. However, only 27% of those tests contained high-severity vulnerabilities, and 6.2% contained critical-severity vulnerabilities.
The main security issue that has emerged has remained unchanged between 2020 and 2022: information leakage, a major security problem that occurs when sensitive information is exposed to unauthorized parties. On average, 19% of total vulnerabilities were directly related to information leakage issues.
Of all high-risk vulnerabilities found in 2022, 19% were found to be susceptible to cross-site scripting attacks. Among the top 10 security vulnerabilities in 2022, 25% of tests conducted found vulnerable third-party libraries posed a risk.
Software is likely to be vulnerable if you do not know the versions of all components used, including third-party and open source components.
