Intelligent CISO Issue 44 | Page 58

Synopsys research finds vulnerabilities in 97 % of applications

targets had high-risk vulnerabilities and 6 % had critical-risk vulnerabilities .
The results demonstrate that the best approach to security testing is to utilise the wide spectrum of tools available to help ensure an application or system is free from vulnerabilities .
For example , 28 % of the total test targets had some exposure to a cross-site scripting ( XSS ) attack , one of the most prevalent and destructive high- / critical-risk vulnerabilities impacting web applications . Many XSS vulnerabilities occur only when the application is running .
intelligent MOBILE SECURITY
ynopsys has published 2021

S

Software Vulnerability Snapshot :
An Analysis by Synopsys Application Security Testing Services , a report examining data from 3,900 tests conducted on 2,600 targets ( i . e ., software or systems ) during 2020 . The data , compiled by tests performed by Synopsys security consultants in its assessment centres for its customers , included penetration testing , dynamic application security testing and mobile application security analyses , designed to probe running applications as a realworld attacker would .
Only 83 % of the tested targets were web applications or systems , 12 % were mobile applications and the remainder were either source code or network systems / applications . Industries represented in the tests included software and Internet , financial services ,
business services , manufacturing , media and entertainment and healthcare .
“ Cloud-based deployments , modern technology frameworks and the rapid pace of delivery is forcing security groups to react more quickly as software is released ,” said Girish Janardhanudu , Vice President , Security Consulting at Synopsys Software Integrity Group .
“ With insufficient AppSec resources in the market , organisations are leveraging application testing services such as those Synopsys provides in order to flexibly scale their security testing . We ’ ve seen a heavy increase in assessment demand throughout the pandemic .”
In the 3,900 tests conducted , 97 % of the targets were found to have some form of vulnerability . Only 30 % of the
Of note was the number of vulnerable third-party libraries in use , found in 18 % of the penetration tests conducted by Synopsys Application Testing Services . This corresponds with the 2021 OWASP Top 10 category A06:2021 – Use of Vulnerable and Outdated Components .
Most organisations typically use a mix of custom-built code , commercial off-the-shelf code and open-source components to create the software they sell or use internally . Often those organisations have informal – or no – inventories detailing exactly what components their software is using , as well as those components ’ licenses , versions and patch status .
With many companies having hundreds of applications or software systems in use , each themselves likely having hundreds to thousands of different thirdparty and open-source components , an accurate , up-to-date software Bill of Materials is urgently needed to effectively track those components . u
58 www . intelligentciso . com