Learn about the key takeaways from the “Software Vulnerability Snapshot” report, which examines security issues uncovered in web and mobile apps.
Businesses use third-party application security testing services for a variety of reasons, and one of the largest is a lack of trained or experienced security professionals. A continued shortage of cybersecurity workers is likely to result in more organizations getting their cybersecurity needs addressed as a service, according to the (ISC)2 cybersecurity professional organization. In fact, (ISC)2 notes that 70% of its survey respondents who are experiencing staffing shortages expect to use third-party services to fill their cybersecurity gap.
And there’s definitely a need to fill that gap. The Forrester report, “The State of Application Security: 2022,” notes that web application exploits are the third-most-common cybersecurity attack. Of the 4,000+ tests Synopsys Application Security Testing (AST) services conducted for its annual “Software Vulnerability Snapshot” report, 95% uncovered some form of vulnerability in the target applications.
The Synopsys AST services tests probe running applications as a real-world attacker would, with the goal of identifying vulnerabilities that could then be triaged and remediated as necessary.
With that much exposure, it’s clear that organizations need to probe their running web applications in the same way that attackers will, and then identify and eliminate vulnerabilities before they are exploited by outside agents.
Some organizations may also want to validate their own testing and ensure that their internal security controls are working. Still others may need to comply with regulatory or business requirements that mandate third-party assessments. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires penetration testing on a regular schedule or after any significant changes to the software or system.
The 2022 BSIMM13 Trends and Insights report found that 88% of the organizations participating in the Building Software in Maturity Model (BSIMM) project use external penetration testers to find problems. These tests can uncover issues that might have been missed by internal testing and may highlight a weak link in an organization’s security toolset. If a static analysis tool is failing to capture security defects that surface during dynamic application security testing (DAST) or penetration testing, there may be a problem in the organization’s overall security testing portfolio.
To produce the “Software Vulnerability Snapshot” report, Synopsys Cybersecurity Research Center (CyRC) researchers examined anonymized data from commercial software systems and applications tested by Synopsys AST services. This year’s report includes data from over 4,000 tests conducted on 2,700 targets (i.e., software or systems). Most of the tests were intrusive “black box” and “gray box” tests, including penetration tests, dynamic application security testing (DAST), and mobile application security testing (MAST) analyses.
Sixty-four percent of the tests conducted by Synopsys AST services were penetration tests—simulated attacks designed to evaluate the security of an application or system. Penetration testing enables organizations to find and fix runtime vulnerabilities in the final development stages of software or after deployment. Penetration testing also introduces a needed human element into the security equation. Some vulnerabilities can’t be easily detected by automated testing tools but need human oversight to be uncovered.
DAST and MAST were also used in the tests. MAST is used to uncover vulnerabilities in applications running on mobile devices and corresponding server-side systems.
The primary objective of DAST is to test running web applications for vulnerabilities such as SQL injection and cross-site scripting (XSS). The vulnerabilities that are exploited in running web applications often don’t exist in source code; they arise only after being deployed into production. This makes DAST an essential component of any application security testing program.
As noted earlier, human oversight is needed to develop a full software security picture. Synopsys DAST evaluations include manual testing to uncover vulnerabilities that typically can’t be found by out-of-the-box tools, such as some vulnerabilities pertaining to authentication and session management, access control, and information leakage.
Applications often fail in their duty to protect the integrity of sensitive network traffic. Weak SSL/TLS configurations were the top vulnerability found in the Synopsys AST services overall tests, with 82% of the test targets containing some form of that vulnerability. Broken down by types of tests, penetration testing found that 77% of its targets had weak SSL/TLS configurations, with 81% found by DAST scans and 32% found by MAST scans.
Both penetration tests and DAST scans found that 22% of the total test targets had some exposure to cross-site scripting attacks, one of the most prevalent and destructive high- and critical-risk vulnerabilities impacting web applications. Most XSS vulnerabilities occur only when the application is running.
If you’re concerned about cybersecurity gaps in your organization, it may be time to address those gaps with third-party AST services. Those services might include build-time static analysis, manual code review, dynamic scanning in a QA/integration test, and preproduction and postproduction penetration testing.
A full spectrum of testing can help you remedy defects and identify known vulnerabilities in your software, whether that software is commercial third-party software, open source, or developed in-house.
Fred is a senior technical writer at Synopsys. He is a Mini Cooper fanboy and has worked for both Google and Bob Dylan at various points in his career.