The 2021 Software Vulnerability Snapshot report uncovers the issues impacting web and mobile apps and what AppSec tools and activities can minimize risks.
One of the most compelling reasons organizations use third-party application security testing is to extend their own software security testing capability when circumstances make adding new resources problematic. That’s certainly the case in today’s pandemic environment. According to research from Cybersecurity Ventures, the number of unfilled cybersecurity positions in the world currently is over 3.5 million—enough people to fill 50 football stadiums.
In the U.S., nearly half of the estimated 950,000 cybersecurity positions are unfilled. The CyberSeek project of the National Institute of Standards and Technology in the U.S. Department of Commerce calls this a dangerous shortage, especially when you consider the rise of cyberattacks, data breaches, and ransomware holdups over the past 18 months.
“We’ve seen a heavy increase in assessment demand throughout the pandemic,” Girish Janardhanudu, vice president of security consulting at Synopsys Software Integrity Group said. “Cloud-based deployments, modern technology frameworks, and the rapid pace of delivery is forcing security groups to react more quickly as software is released. With insufficient AppSec resources in the market, organizations are leveraging application testing services such as those Synopsys provides in order to flexibly scale their security testing.”
Synopsys’ recently published its “2021 Software Vulnerability Snapshot” report, examining data from 3,900 tests on commercial web and mobile applications conducted by Synopsys security consultants during 2020. Industries represented in the report include software and internet, financial services, business services, manufacturing, media and entertainment, and healthcare. The tests included penetration testing, dynamic application security testing, and mobile application security analyses, designed to probe running applications as a real-world attacker would, with the goal of identifying vulnerabilities that could then be triaged and remediated as necessary.
A full 97% of the tests uncovered some form of vulnerability, with 30% having high-risk vulnerabilities, and 6% having critical-risk vulnerabilities. Twenty-eight percent of the applications tested had some exposure to cross-site scripting attacks, one of the most prevalent and destructive high- / critical-risk vulnerabilities impacting web applications.
The report makes it clear why a full spectrum of application security testing is an essential component of managing software risk in today’s world. While “transparent box” testing such as static application security testing (SAST) can bring visibility to security issues early in the software development life cycle, SAST cannot uncover runtime security vulnerabilities. And some vulnerabilities cannot be easily detected by automated testing tools—they need human oversight to be uncovered.
For example, the only effective way to detect an insecure direct object reference (IDOR), an issue that allows attackers to manipulate references in order to gain access to unauthorized data, is by having a human perform a manual test.
Clearly, there’s no one best approach to application security testing. Humans need to perform the security tests they’re the most effective at carrying out, with their efforts augmented by automated testing.
Fred is a senior technical writer at Synopsys. He is a Mini Cooper fanboy and has worked for both Google and Bob Dylan at various points in his career.