To produce the “Software Vulnerability Snapshot” report, Synopsys Cybersecurity Research Center (CyRC) researchers and Synopsys Security Testing Services consultants used anonymized data from three years of tests conducted on commercial software systems and applications.
The Synopsys tests shed light on persistent vulnerabilities that remain significant challenges to web and software application security, especially the top vulnerabilities related to
Information disclosure/leakage and privacy
Insufficient transport layer protection
The tests also underscore the ongoing dangers posed by vulnerable third-party libraries and the need for robust software supply chain security in software development environments, where well over 90% of software contains open source.
Sixteen industry verticals are represented in the report, including software and internet, financial services, insurance, business services, manufacturing, media and entertainment, and healthcare.
Application security (AppSec) tests performed include penetration testing, dynamic application security testing, and mobile application security testing—all designed to probe running applications the way a real-world hacker would.
The report makes it clear why a full spectrum of AppSec testing is essential to managing software risk. While testing tools such as static application security testing (SAST) can shed light on security issues early in the software development life cycle, SAST cannot uncover runtime vulnerabilities. Likewise, several vulnerabilities cannot be detected by automated tools and need human oversight to uncover.
Out of the roughly 12,000 tests run by CyRC in the three-year span
92% revealed vulnerabilities
33% revealed high- or critical-severity vulnerabilities
77% of vulnerabilities fell into an OWASP Top 10 category
Download the Report
Software Vulnerability Snapshot
A Three-Year Analysis of the 10 Most Common Web and Software Application Vulnerabilities