Report: Applications and critical data vulnerable to attack

Report: Applications and critical data vulnerable to attack

Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more



According to a report by Synopsys, 97% of software and systems targets tested during 2020 were found to contain a vulnerability. Furthermore, 30% of the targets had high-risk vulnerabilities, which threat actors could exploit to access high-value resources, and 6% had critical-risk vulnerabilities, which could allow attackers to execute code and breach critical data on a web or mobile application or application servers.


Insecure data storage and communication vulnerabilities plague mobile applications. Eighty percent of the discovered vulnerabilities in the mobile tests were related to insecure data storage. These vulnerabilities could allow an attacker to gain access to a mobile device either physically (i.e., accessing a stolen device) or through malware. Fifty-three percent of the mobile tests uncovered vulnerabilities associated with insecure communications.


Moreover, application and server misconfigurations represented 21% of the overall vulnerabilities, 19% of the vulnerabilities identified were related to broken access control, and 28% of the total test targets had some exposure to cross-site scripting (XSS) attacks, which is one of the most prevalent and destructive vulnerabilities impacting web applications. Because many XSS vulnerabilities occur only when the application is running, the best approach to security testing is to leverage a broad spectrum of tooling solutions to ensure that an application or system is secure.


Synopsys Application Security Testing Services 2020 by the Numbers. Number of test targets: 2,573. Number of tests: 3,937. Tests that uncovered vulnerabilities: 97%. Number of tests with high or critical severity vulnerabilities: 36%. Total number of vulnerabilities discovered: 28,501. Top vulnerability discovered: missing content-security-policy header at 52%. Top high-risk vulnerability discovered: stored cross-site scripting (XSS). Top critical vulnerability discovered: SQL injection at 3%. Types of tests include web app pen testing at 67%, web app dynamic analysis at 16%, mobile app analysis at 12%, source code analysis at 2%, and network security pen testing at 2%.


The industries represented in the tests included software and internet, financial services, business services, manufacturing, media and entertainment, and health care. Of the tested targets, 83% were web applications and systems, 12% were mobile apps, and the remainder were either source code or network systems or applications. Considering that these industries are heavily reliant on software, it’s crucial to prevent identified software vulnerabilities from severely impacting business.


The data was compiled based on 3,937 tests performed by Synopsys security consultants during customer engagements and include penetration testing, dynamic application security testing, and mobile application security analyses — all designed to confront running applications in the same fashion as a real-world attacker.


Read the full report by Synopsys.

VentureBeat


VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member