Synopsys releases "2022 Software Vulnerability Snapshot" report

95% of applications have vulnerabilities, 25% of which are affected by serious or high-risk vulnerabilities

For software security program leaders, a deep understanding of software risks can help them plan for security and achieve strategic improvements in security efforts.

Synopsys (Nasdaq: SNPS) recently released the "2022 Software Vulnerability Snapshot" report. The report examined the results of more than 4,300 security tests conducted on more than 2,700 target software, including web applications, mobile applications, source code files, and network systems (i.e., software or systems). Most security testing is intrusive "black box" or "gray box" testing, including penetration testing, dynamic application security testing (DAST) and mobile application security testing (MAST), designed to detect how criminals would attack in a real environment. running application.

The study found that 82% of test targets were web applications or systems, 13% were mobile applications, and the remainder were source code or web systems/applications. Industries participating in the test include software and internet, financial services, business services, manufacturing, consumer services and healthcare.

Out of more than 4,300 tests conducted, Synopsys found that 95% of targeted applications had some form of vulnerability (a 2% decrease from last year's findings); 20% had high-severity vulnerabilities (a 10% decrease from last year); 4.5 % had serious vulnerabilities (1.5% less than last year).

It turns out that the best approach to security testing is to leverage a wide range of available tools, including static analysis, dynamic analysis, and software composition analysis, to help ensure that an application or system is free of vulnerabilities. For example, 22% of total test targets were exposed to cross-site scripting (XSS) vulnerabilities. This is one of the most common and damaging high/severe risk vulnerabilities affecting web applications. Many XSS vulnerabilities occur while the application is running. The good news is that the risks found in this year's findings are 6% lower than last year's. This means that enterprises are taking proactive steps to reduce XSS vulnerabilities in their applications.

Girish Janardhanudu, vice president of security consulting for Synopsys Software Quality and Security, said: "This research report highlights that the use of intrusive black-box testing techniques such as DAST and penetration testing can effectively discover vulnerabilities in the software development life cycle. A comprehensive Application security testing programs should include these types of security tools.”

The 2022 Software Vulnerability Snapshot report also found:

• OWASP's top 10 vulnerabilities were found in 78% of targeted applications . Application and server configuration errors accounted for 18% of the overall vulnerabilities found in the test (3% less than last year's findings), led by OWASP "A05:2021 - Security Configuration Errors." 18% of the total number of vulnerabilities discovered can be classified as "A01:2021 - Access Control Failure" in the 2021 OWASP Top 10 (1% less than last year).

• Software Bill of Materials (SBOM) is urgently needed. Vulnerable third-party libraries were discovered in 21% of penetration tests (a 3% increase from last year's findings). This corresponds to "A06:2021 - Vulnerable and outdated components" in the 2021 OWASP Top 10 rankings. Most businesses use a mix of custom code, commercial off-the-shelf code, and open source components to create the software they sell or use internally. These companies often have informal (or no) bills of materials and fail to detail which components their software is using, as well as the license, version and patch status of those components. Many companies use hundreds of applications or software systems, and each company itself may have hundreds or thousands of different third-party and open source components. Therefore, they urgently need accurate and up-to-date SBOM to effectively track these components. 

• Low-risk vulnerabilities can also be exploited to launch attacks. 72% of the vulnerabilities discovered during testing were considered low or medium risk. That is, attackers cannot directly exploit the discovered vulnerabilities to gain access to systems or sensitive data. Still, the risks of these vulnerabilities should not be underestimated, as bad actors can exploit even lower-risk vulnerabilities to launch attacks. For example, lengthy server banner information (found in 49% of DAST tests and 42% of penetration tests) provides information such as server name, type and version number, which attackers can use to launch targeted attacks on specific technology stacks. attack.