Skip to main content

Report: Applications and critical data vulnerable to attack

hybrid multi-cloud security series
Image Credit: Getty Images

Want smarter insights in your inbox? Sign up for our weekly newsletters to get only what matters to enterprise AI, data, and security leaders. Subscribe Now

According to a report by Synopsys, 97% of software and systems targets tested during 2020 were found to contain a vulnerability. Furthermore, 30% of the targets had high-risk vulnerabilities, which threat actors could exploit to access high-value resources, and 6% had critical-risk vulnerabilities, which could allow attackers to execute code and breach critical data on a web or mobile application or application servers.

Insecure data storage and communication vulnerabilities plague mobile applications. Eighty percent of the discovered vulnerabilities in the mobile tests were related to insecure data storage. These vulnerabilities could allow an attacker to gain access to a mobile device either physically (i.e., accessing a stolen device) or through malware. Fifty-three percent of the mobile tests uncovered vulnerabilities associated with insecure communications.

Moreover, application and server misconfigurations represented 21% of the overall vulnerabilities, 19% of the vulnerabilities identified were related to broken access control, and 28% of the total test targets had some exposure to cross-site scripting (XSS) attacks, which is one of the most prevalent and destructive vulnerabilities impacting web applications. Because many XSS vulnerabilities occur only when the application is running, the best approach to security testing is to leverage a broad spectrum of tooling solutions to ensure that an application or system is secure.

Synopsys Application Security Testing Services 2020 by the Numbers. Number of test targets: 2,573. Number of tests: 3,937. Tests that uncovered vulnerabilities: 97%. Number of tests with high or critical severity vulnerabilities: 36%. Total number of vulnerabilities discovered: 28,501. Top vulnerability discovered: missing content-security-policy header at 52%. Top high-risk vulnerability discovered: stored cross-site scripting (XSS). Top critical vulnerability discovered: SQL injection at 3%. Types of tests include web app pen testing at 67%, web app dynamic analysis at 16%, mobile app analysis at 12%, source code analysis at 2%, and network security pen testing at 2%.

AI Scaling Hits Its Limits

Power caps, rising token costs, and inference delays are reshaping enterprise AI. Join our exclusive salon to discover how top teams are:

  • Turning energy into a strategic advantage
  • Architecting efficient inference for real throughput gains
  • Unlocking competitive ROI with sustainable AI systems

Secure your spot to stay ahead: https://bit.ly/4mwGngO

The industries represented in the tests included software and internet, financial services, business services, manufacturing, media and entertainment, and health care. Of the tested targets, 83% were web applications and systems, 12% were mobile apps, and the remainder were either source code or network systems or applications. Considering that these industries are heavily reliant on software, it’s crucial to prevent identified software vulnerabilities from severely impacting business.

The data was compiled based on 3,937 tests performed by Synopsys security consultants during customer engagements and include penetration testing, dynamic application security testing, and mobile application security analyses — all designed to confront running applications in the same fashion as a real-world attacker.

Read the full report by Synopsys.