IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Over a third of applications have high-risk vulnerabilities

Synopsys report reveals that 97% exhibit some form of vulnerability

Almost all applications have some form of software vulnerability, according to a report published this week by software security company Synopsys. 

Synopsys tests software for its clients, both without any access to the application at all and with valid user credentials. It ran 3,900 software tests on 2,600 target applications and systems and found 97% exhibiting some form of vulnerability

More than a third of the vulnerabilities were high-risk, allowing attackers to access application resources and data, said Synopsys' “2021 Software Vulnerability Snapshot” report. It also found 6% were critical, meaning that they would allow attackers to access sensitive information. 

The most common high-risk vulnerability was cross-site scripting, at 28%, followed by a failure to rate-limit login attempts, which renders the application open to brute force attacks. 

The top critical vulnerabilities stemmed from SQL injection attacks, which allow attackers to manipulate the back-end database by inserting SQL commands into the application interface. These vulnerabilities have existed since the early days of web applications and frequently make the OWASP Top 10, which is a list of the most common security flaws found in web applications and is updated roughly every four years. 

The vulnerabilities found in the report mapped closely to those detailed in the 2021 edition of the OWASP Top 10. Three in four matched those on the OWASP list. 

Related Resource

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Blonde woman in professional clothing writing on a board Free download

Synopsys warned that even lower-risk vulnerabilities can be dangerous. "For example, verbose server banners — found in 49% of the tests — provide critical information such as server name, type, and version number that could allow attackers to perform targeted attacks on specific technology stacks," it said. 

The report, which ran analysis, including penetration tests and static analysis, made some recommendations to help companies avoid the fallout from attacks. It advised them to implement content security policies protecting against attacks that could access data in the application without authorization. It found missing or inadequate policies in 77% of the tests. 

The report also recommended a software bill of materials to detail third-party libraries used in applications and assess their security. Almost one in five tests revealed applications using vulnerable third-party libraries.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022
How do you become an ethical hacker?
ethical hacking

How do you become an ethical hacker?

29 Apr 2022

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022