What vulnerabilities and security issues affect web and mobile applications?



The 2021 Software Vulnerability Snapshot report reveals the issues affecting web and mobile applications and what AppSec tools and activities can minimize the risks.

One of the most compelling reasons companies use third-party application security testing is to expand their own software security testing capability when circumstances make adding new resources problematic. This is certainly the case in the current pandemic environment. According to research by Cybersecurity Ventures, the number of unfilled cybersecurity positions worldwide currently exceeds 3.5 million, enough people to fill 50 football stadiums.

In the United States, nearly half of the estimated 950,000 cybersecurity positions are unfilled. The US Department of Commerce’s National Institute of Standards and Technology’s CyberSeek project calls it a dangerous shortage, especially when you consider the increase in cyber attacks, data breaches, and ransomware blockages over the past 18 months.

“We have seen a sharp increase in the demand for assessment throughout the pandemic,” said Girish Janardhanudu, vice president of security consulting at Synopsys Software Integrity Group. “Cloud-based deployments, modern technology frameworks, and the rapid pace of delivery are forcing security groups to respond more quickly as software is released. With insufficient AppSec resources in the market, organizations are leveraging application testing services such as those provided by Synopsys to flexibly extend their security testing.

Synopsys recently released its “2021 Software Vulnerability Snapshot” report, examining data from 3,900 tests on commercial web and mobile applications conducted by Synopsys security consultants in 2020. Sectors represented in the report include software and internet, financial services, business services, manufacturing, media and entertainment, and health care. The tests included penetration testing, dynamic application security testing, and mobile application security analytics, designed to probe running applications like a real-world attacker would, with the goal of identifying vulnerabilities which could then be sorted out and patched if necessary.

The need for a full suite of software security testing

97% of tests found some form of vulnerability, 30% having high risk vulnerabilities and 6% critical risk vulnerabilities. Twenty-eight percent of the applications tested were exposed to cross-site scripting attacks, one of the most widespread and destructive high-risk / critical vulnerabilities in web applications.

The report clearly explains why a comprehensive suite of application security testing is an essential part of managing software risk in today’s world. While “transparent box” tests such as Static Application Security Testing (SAST) can provide visibility into security issues early in the software development lifecycle, SAST cannot discover security vulnerabilities in execution. And some vulnerabilities cannot be easily detected by automated testing tools, they require human monitoring to be discovered.

For example, the only effective way to detect an insecure direct object reference (IDOR), an issue that allows attackers to manipulate references in order to access unauthorized data, is to ask a human to perform a manual test.

Obviously, there is no better approach to application security testing. Humans need to perform the safety tests for which they are most effective, with their efforts augmented by automated testing.

Highlights of the “2021 Software Vulnerability Snapshot” report

  • The 10 vulnerabilities of the Top 10 OWASP 2021 were discovered in 76% of the targets. Application and server configuration errors accounted for 21% of overall vulnerabilities found in testing, represented by the OWASP A05: 2021 — Security Misconfiguration category. And 19% of the total vulnerabilities found were related to the OWASP A01: 2021 — Broken Access Control category.
    Top 10 OWASP 2021 vulnerabilities discovered in 76% of targets |  Synopsis
  • Insecure data storage and communication vulnerabilities plague mobile applications. Eighty percent of vulnerabilities found in mobile testing were related to unsecured data storage. These vulnerabilities could allow an attacker to access a mobile device either physically (that is, by gaining access to a stolen device) or through malware. Fifty-three percent of mobile tests revealed vulnerabilities associated with insecure communications.
  • Even lower risk vulnerabilities can be exploited to facilitate attacks. Sixty-four percent of vulnerabilities found in testing are rated as minimal, low, or medium risk. In other words, the problems detected cannot be directly exploited by attackers to gain access to sensitive systems or data. However, even low-risk vulnerabilities can be exploited to facilitate attacks. For example, detailed server banners, found in 49% of tests, provide information such as the name, type, and version number of the server, which could allow attackers to perform targeted attacks on technology stacks. specific.
  • There is an urgent need for a software nomenclature. It should be noted the number of vulnerable third-party libraries used; they were found in 18% of penetration tests conducted by Synopsys Application Testing Services. With many companies having hundreds of software applications or systems in use, each having probably hundreds to thousands of different third-party and open-source components of their own, an accurate and up-to-date software BOM is needed anyway. emergency to effectively track these components. .

2021 Software Vulnerability Snapshot Report |  Synopsis



About Author

Comments are closed.