Software Vulnerability Snapshot
The 10 Most Common Web Application Vulnerabilities
What’s Inside
The Synopsys Cybersecurity Research Center (CyRC) examined data from thousands of commercial software security tests performed in 2021. Almost all the tests (95%) were intrusive “black box” and “gray box” tests, including penetration (pen) tests, dynamic application security testing, and mobile application security testing analyses.
Download the report to learn what vulnerabilities—such as cross-site scripting, remote code execution, SQL injection, and clickjacking—were most common in commercial software, and why relying solely on automated tests can leave organizations at risk to cyberattacks and data breaches.
Industries Represented
Sixteen industry verticals are represented in the report, including software and internet, financial services, insurance, business services, manufacturing, media and entertainment, retail, and healthcare.
Tests Included
Application security (AppSec) tests performed include penetration testing, dynamic application security testing, and mobile application security testing—all designed to probe running applications the way a real-world hacker would.
Key Findings
The report makes it clear why a full spectrum of AppSec testing is essential to managing software risk. While “white box” tools such as static application security testing (SAST) can shed light on security issues early in the software development life cycle, SAST cannot uncover runtime security vulnerabilities. Likewise, several vulnerabilities cannot be detected by automated tools and need human oversight to uncover.
Out of the roughly 4,400 tests run by CyRC
- 95% revealed vulnerabilities
- 25% revealed high or critical severity vulnerabilities
- 78% of vulnerabilities fell into an OWASP Top 10 category
Download the Report
Software Vulnerability Snapshot
The 10 Most Common Web Application Vulnerabilities
