close search bar

Sorry, not available in this language yet

close language selection

Software Vulnerability Snapshot

A Three-Year Analysis of the 10 Most Common Web and Software Application Vulnerabilities

Software Vulnerability Snapshot Report

What’s Inside 



To produce the “Software Vulnerability Snapshot” report, Synopsys Cybersecurity Research Center (CyRC) researchers and Synopsys Security Testing Services consultants used anonymized data from three years of tests conducted on commercial software systems and applications.

The Synopsys tests shed light on persistent vulnerabilities that remain significant challenges to web and software application security, especially the top vulnerabilities related to

  • Information disclosure/leakage and privacy
  • Misconfigurations
  • Insufficient transport layer protection

The tests also underscore the ongoing dangers posed by vulnerable third-party libraries and the need for robust software supply chain security in software development environments, where well over 90% of software contains open source.

<p>Industry verticals represented in the report include software and internet, financial services, business services, manufacturing, media and entertainment, and healthcare.</p>

Industries Represented

Sixteen industry verticals are represented in the report, including software and internet, financial services, insurance, business services, manufacturing, media and entertainment, and healthcare.

Application security (AppSec) tests performed include penetration testing, dynamic application security testing, and mobile application security testing

Tests Included

Application security (AppSec) tests performed include penetration testing, dynamic application security testing, and mobile application security testing—all designed to probe running applications the way a real-world hacker would.

a full spectrum of AppSec testing is essential to manage software risk

Key Findings

The report makes it clear why a full spectrum of AppSec testing is essential to managing software risk. While testing tools such as static application security testing (SAST) can shed light on security issues early in the software development life cycle, SAST cannot uncover runtime vulnerabilities. Likewise, several vulnerabilities cannot be detected by automated tools and need human oversight to uncover.

Out of the roughly 12,000 tests run by CyRC in the three-year span

  • 92% revealed vulnerabilities
  • 33% revealed high- or critical-severity vulnerabilities
  • 77% of vulnerabilities fell into an OWASP Top 10 category

Download the Report

Software Vulnerability Snapshot

A Three-Year Analysis of the 10 Most Common Web and Software Application Vulnerabilities

Vulnerabilities Booklet | Synopsys

Download the report now