- Among the vast majority of applications or systems, 95% have vulnerabilities, according to a report from the Synopsys Software Integrity Group. Across systems, one-fifth had high risk vulnerabilities and just under 5% were considered critical.
- Researchers conducted 4,400 tests on 2,700 software targets, including web applications, mobile applications, source code files or network systems. The tests were primarily “black box” or “gray box” tests, which included penetration testing, dynamic application security testing or mobile application security testing.
- The most prevalent vulnerability was based on weak secure socket layer/transport layer security (SSL/TLS) configurations; 4 in 5 test targets had some form of that type of vulnerability.
The report comes at a time when software vulnerabilities have taken center stage in the debate over how to protect critical systems against malicious cyberattacks.
Vulnerabilities such as these create a backdoor for criminal actors or rogue nation-states to launch attacks against the country’s most vulnerable industries, including hospitals, schools, utility companies, government agencies and other critical sites.
The Synopsys report did show some improvements from a year ago, indicating companies and other organizations are making an effort to better detect flaws in their applications before they are shipped and installed by customers.
However, as the industrial workplace becomes ever more dependent on automation, the need for proactive testing of the integrity of these systems has become a core priority.
“At the end of the day, software risk equates to business risk and not taking measures to mitigate that risk could potentially impact an organization’s bottom line,” Ray Kelly, a fellow at Synopsys, said via email.
About 1 in 5 of the test subjects had been exposed to a cross-site scripting vulnerability, which is considered one of the most destructive vulnerabilities found in web applications.
The percentage is about 6% less than the number found during the year-ago report, which researchers said is a sign that companies are taking steps to mitigate these vulnerabilities during the production phase.
The results also demonstrate the need for Software Bills of Materials, according to Synopsys researchers. Third-party libraries were found in 21% of the penetration tests done during the study.
Editor’s note: This article has been updated to fix the spelling of Synopsys in the teaser.