Organizations’ serious commitment to software risk management pays off

There has been a significant decrease in vulnerabilities found in target applications – from 97% in 2020 to 83% in 2022 – an encouraging sign that code reviews, automated testing and continuous integration are helping to reduce common programming errors, according to Synopsys.

The report details three years of data (2020 – 2022) derived from tests run by Synopsys Security Testing Services, with targets made up of web applications, mobile applications, network systems and source code.

Tests are designed to probe running applications as a real-world attacker would, incorporating multiple security testing techniques including penetration (pen) testing, dynamic application security testing (DAST), mobile application security testing (MAST) and network security testing.

Although this is a positive development for the industry, the data also demonstrates that relying on a single security testing solution such as static application security testing (SAST) is no longer sufficient as an approach.

For example, server misconfigurations represented an average of 18% of the total vulnerabilities found in the three years of tests. Without a multilayered security approach that combines SAST to identify coding flaws, DAST to examine running applications, software composition analysis (SCA) to identify vulnerabilities introduced by third-party components, and penetration testing to identify issues that might have been missed by internal testing, these types of vulnerabilities will likely go unchecked.

Decrease in known software vulnerabilities

Advancements in programming languages and integrated development environments (IDEs) now provide built-in checks and tools that help developers catch errors before they become significant issues. In the case of popular open source projects, many communities have also ramped up their scrutiny of code, leading to higher quality standards.

Unfortunately, the same can’t be said for less popular or older open source projects. According to some reports, nearly 20% of open source projects across Java and JavaScript that were maintained in 2022 are no longer being maintained today, opening those projects to vulnerabilities and exploits.

With more attackers using automated exploitation tools that can attack thousands of systems in a matter of seconds, fixing high- and critical-risk vulnerabilities can become urgent whenever those vulnerabilities are discovered, not least because well over half of reported vulnerabilities are exploited within a week of disclosure.

Security or vulnerability issues in deployed applications tend to cascade downhill, not only through their potential of disrupting an organization’s (or its customers’) business operations, but also through their impact on the entire SDLC, and in extension, the software supply chain.

“For the first time in years, we’re seeing a decrease in the number of known vulnerabilities in software, which provides new hope that organizations are taking security seriously and prioritizing a strategic and holistic approach to software security in order to make a lasting impact,” said Jason Schmitt, GM of the Synopsys Software Integrity Group. “As hackers have become more sophisticated, a multilayered security approach is needed more than ever to identify where software risks live and protect businesses from being exploited.”

Leaked information continues to be a top risk

On average over the past three years, 92% of the tests uncovered some form of vulnerability. However, only 27% of those tests contained high-severity vulnerabilities, and 6.2% contained critical-severity vulnerabilities.

The top security issue that was uncovered has remained unchanged from 2020 to 2022 – information leakage, a major security issue occurring when sensitive information is exposed to unauthorized parties. An average of 19% of the total vulnerabilities were directly related to information leakage issues.

Of all high-risk vulnerabilities found in 2022, 19% were found to be susceptible to cross-site scripting attacks. Among the top 10 security issues in 2022, 25% of the tests conducted found vulnerable third-party libraries to be a risk.

Software is likely vulnerable if you do not know the versions of all components in use, including third-party and open source components.