SBN

Software Vulnerability Snapshot Report Findings

Black Duck has released its “2024 Software Vulnerability Snapshot” report, offering valuable insights into the current state of web application security. The report analyzes data from over 200,000 dynamic application security testing (DAST) scans conducted by Black Duck® Continuous Dynamic scanning on approximately 1,300 applications across 19 industry sectors.

 


Key findings from the Software Vulnerability Snapshot

The 2024 analysis identified a total of 96,917 vulnerabilities, with several critical issues standing out.

  • Cryptographic Failures (Sensitive Data Exposure): This category accounted for 30,726 vulnerabilities, including 4,882 critical-risk instances. Affecting 86% of clients, it represents one of the most common and serious security issues across industries.
  • Injection Vulnerabilities: 4,814 vulnerabilities were found in this category, with over half of those (2,491) critical instances. Injection vulnerabilities, which include SQL Injection and Cross-Site Scripting (XSS), pose significant security threats due to their potential for data theft and system compromise.
  • Security Misconfigurations: This vulnerability category affected 98% of the clients scanned, with over 36,000 vulnerabilities identified. While many of those vulnerabilities were classified as “informational” by Black Duck experts (that is, no immediate action was indicated), they still represent potential security risks.

Industry-specific insights

Black Duck uses a proprietary metric to rank the relative “site complexity” of web applications assessed by Continuous Dynamic. Applications with less complexity may have minimal interactivity and a simple crawl tree—that is, a straightforward structure of URLs. Higher-complexity applications may have many interactive elements and dynamically generated content. Sites are ranked as small, medium, and large based on the complexity of the applications they contain.

Small- and medium-complexity sites tend to have more critical vulnerabilities than larger-complexity sites, particularly in the Finance and Insurance sector.”

2024 Software Vulnerability Snapshot Report

|

Black Duck

In the scans detailed in the “2024 Software Vulnerability Snapshot” report, small- and medium-complexity sites tended to have more critical vulnerabilities than larger-complexity sites, particularly in the Finance and Insurance sector. This metric suggests that many organizations are underestimating the security needs of sites containing fewer complex applications. Breaking down the numbers

  • Finance and Insurance: This sector had the highest number of critical vulnerabilities (1,299), indicating substantial risk in this highly regulated sector.
  • Healthcare and Social Assistance: This sector followed closely with 992 critical vulnerabilities, raising concerns about patient data protection and regulatory compliance.
  • Information Services: This sector recorded 446 critical vulnerabilities, highlighting the need for robust security in data-centric industries.

Vulnerability remediation analysis across industries

The report also revealed significant variations in vulnerability remediation times across industries.

  • Utilities: Organizations in this sector had the longest time-to-close for critical vulnerabilities, with smaller-complexity sites taking 107 days and medium-complexity sites taking 876 days on average.
  • Educational Services: This sector also showed extended closure times, with small-complexity sites taking 342 days and medium-complexity sites taking 111 days.
  • Finance and Insurance: This sector demonstrated faster response times, closing critical vulnerabilities in 28 days for small-complexity sites, 53 days for medium-complexity sites, and 78 days for larger-complexity sites.
  • Healthcare and Social Assistance: This sector showed improvement in larger-complexity sites. Scan revealed closure times of 87 days for small-complexity sites, 30 days for medium-complexity sites, and 20 days for larger-complexity sites.

These variations highlight the impact of resource allocation and regulatory pressures on security initiatives across different sectors. it.

Potential business impact of software vulnerabilities

The vulnerabilities identified in the report pose significant risks to organizations, including

  • Data Breaches: Sensitive Data Exposure and Injection vulnerabilities threaten the security of personal information, financial data, and trade secrets.
  • Regulatory Noncompliance: High-risk sectors face increased exposure to noncompliance with data protection regulations like GDPR, HIPAA, and PCI DSS.
  • Operational Disruptions: Security misconfigurations and other vulnerabilities can lead to service outages and business continuity issues.
  • Extended Vulnerability Exposure: Long closure times in sectors like Utilities and Educational Services increase the risk of exploitation.

AppSec recommendations

The findings in the “2024 Software Vulnerability Snapshot” report highlight the ongoing challenges in application security across numerous industries. By understanding the damaging potential of these vulnerabilities and implementing robust security measures, organizations can better protect their assets, maintain regulatory compliance, and safeguard their operations and reputation.

Specifically, the report recommends that organizations

  • Prioritize addressing Sensitive Data Exposure and Injection vulnerabilities, especially organizations in high-risk sectors.
  • Focus on reducing time-to-close for critical vulnerabilities.
  • Address security misconfigurations to minimize potential information disclosure and reputational damage.
  • Implement a multifaceted security approach integrating DAST, static application security testing (SAST), and software composition analysis (SCA) for comprehensive coverage throughout the software development life cycle.

Report

Software Vulnerability Snapshot Report cover

The Software Vulnerability Snapshot

*** This is a Security Bloggers Network syndicated blog from Blog authored by Fred Bals. Read the original post at: https://www.blackduck.com/blog/software-vulnerability-snapshot-report-findings.html