Software
Vulnerability
Snapshot
The 10 Most Common
Web Application
Vulnerabilities
Analysis by Synopsys Security Testing
Services and the Synopsys Cybersecurity
CyRC Research CenterTable of contents
Overview....................1
Who Should Read This Report..................2
Who Uses Third-Party Application Security Testing............3
Types of Tests Mentioned in This Report..........3
Security Issues Found in the Synopsys AST Services Tests........4
Vulnerabilities Breakdown by the OWASP Top 10..........6
OWASP Categories in Detail..........8
Testing with a Full Spectrum of Security Tools........9
WhiteHat Dynamic.....................10
Even Lower-Risk Vulnerabilities Can Be Exploited to Facilitate Attacks.............11
The Danger of Vulnerable Third-Party Libraries................12
Managing Supply Chain Risk with a Software Bill of Materials.............12
The Need for a Holistic AppSec Program to Manage Risk at Scale....... 13
Recommendations............... 14
About CyRC Research................. 14
synopsys | 2OverviewIndustries represented in
To produce the annual “Application Vulnerability Snapshot” report, Synopsys Cybersecurity Research the study
Center (CyRC) researchers examine anonymized data from commercial software systems and
applications tested by Synopsys Application Security Testing (AST) services. This year’s report
includes data from 4,398 tests conducted in 2021 on 2,711 targets (i.e., software or systems).
Almost all the tests (95%) were intrusive “black box” and “gray box” tests, including penetration (pen)
tests, dynamic application security testing (DAST), and mobile application security testing (MAST) Software and Internet,
analyses.Systems Integration and
32% Services, Computers and
Black box testing approaches the target’s security state from an outsider’s perspective, whereas gray Electronics
box testing simulates an authenticated user with credentials—essentially extending black box testing
with deeper insights. The Synopsys AST services tests probe running applications as a real-world
attacker would, with the goal of identifying vulnerabilities that could then be triaged and remediated
as necessary.
The targets tested were largely web (82%) and mobile (13%) applications, with the remaining 5%
either source code or network systems/applications tests. The industries represented includedFinancial Services,
software and internet (32%), financial services (26%), business services (18%), manufacturing (7%), 26% Insurance
consumer services (7%), and healthcare (6%). The remaining 4% of test targets represented travel
and leisure, education, energy and utilities, and other verticals.
The Synopsys AST services tests probe 18% Business Services
running applications as a real-world
attacker would, with the goal of identifyingManufacturing, Transportation and
7% Storage, Wholesale and Distribution
vulnerabilities that could then be triaged
Consumer Services, Media and
and remediated as necessary. 7% Entertainment, Retail, eCommerce
Healthcare, Pharmaceuticals,
6% and Biotech
4% Other
synopsys | 1Who Should Read This Report
If you’re in charge of a software security program, getting a deeper view into software risk can help
you plan strategic improvements in your security efforts. If you’re looking at a security program from
the tactical side, you can use the information in this report to present a business case for expanding
security testing in your software security initiative, for example, by enhancing static application
security testing (SAST) and software composition analysis (SCA), or by testing running applications
with DAST, pen or fuzz testing, or MAST.
According to the Forrester report, “The State of Application Security: 2022,” web application
exploits are the third-most-common attack (see Figure 1). With that much exposure, it’s clear that
organizations need to test their running web applications in the same way that attackers will, and
then identify and eliminate vulnerabilities before they are exploited by outside agents.
“How was the attack carried out?”
Software vulnerability exploit 35%
Supply chain/third-party breach33%
Web application exploit (SQLi, XSS, RFI) 32%
Phishing 31%
Social engineering30%
Use of weak or stolen credentials 29%
Strategic web compromise27%
88% of organizations
Malspam 26% participating in the
Abuse of administrator tools26% BSIMM project use
Exploitation of lost/stolen asset24%external penetration
testers to find problems.
Figure 1. Web application exploits comprise over 30% of attacks
synopsys | 2Who Uses Third-Party Application Security Testing Benefits of Third-Party
Businesses use third-party application security testing services for a variety of reasons, one of the
largest being a lack of trained or experienced security professionals. Application Security
Testing
Some organizations may also want to validate their own testing and ensure that their internal
security controls are working. Others may need to extend their software security testing Third parties can provide expertise, scale, trust
capabilities but don’t want to add dedicated tools and staff to their budgets. Still others may need in findings, and remediation guidance. They can
to comply with regulatory or business requirements that mandate third-party assessments. For also lower your overall risk posture while saving
example, the Payment Card Industry Data Security Standard (PCI DSS) requires pen testing on a you time and money in the long run. Third-party
regular schedule or after any significant changes to the software or system. testing is useful when you need to
The “2022 BSIMM13 Trends and Insights report” found that 88% of the organizations participating
in the Building Software in Maturity Model (BSIMM) project, a program examining the strategiesEnhance your
organizations employ to build security into software development, use external penetration security
testers to find problems. These tests can uncover issues that might have been missed by internal coverage
testing and may highlight a weak link in an organization’s security toolset. If a static analysis tool
is failing to capture security defects that surface during DAST or penetration testing, for example,
there may be a problem in the organization’s overall security testing portfolio.
For those wanting to learn more about the BSIMM project, the “BSIMM13 Foundations” report
provides in-depth detail on BSIMM background and data, and the “BSIMM13 Trends and Insights” Fulfill compliance
report offers a distillation of current BSIMM findings. requirements
Types of Tests Mentioned in This Report
Sixty-four percent of the tests conducted in 2021 by Synopsys AST services were pen tests— Increase your
simulated attacks designed to evaluate the security of an application or system. Pen testing
enables organizations to find and fix runtime vulnerabilities in the final development stagessecurity reputation
of software or after deployment. Pen tests are often a compliance requirement of security with customers
standards. As noted earlier in this report, compliance with PCI DSS requires pen testing on a
regular schedule.
Pen testing also introduces a needed human element into the security equation. Some Improve your
vulnerabilities can’t be easily detected by automated testing tools—they need human oversight to response to
be uncovered. For example, the only effective way to detect an insecure direct object reference software security
(IDOR), an issue that allows attackers to gain access to unauthorized data, is by performing athreats
manual test.
synopsys | 3