Software vulnerabilities are on the decline, but businesses still need to be extremely vigilant when building code, new research has claimed.
A report from Synopsis Cybersecurity Research Center took three years of data on web apps, mobile apps, network systems, and source code, where the researchers probed the apps the same way malicious actors would, incorporating multiple security testing techniques (pentesting, dynamic app security testing, mobile app security testing, and network security testing).
The results have shown a significant decline in vulnerabilities – from 97% in 2020 to 83% in 2022. Synopsys describes the findings as “an encouraging sign that code reviews, automated testing and continuous integration are helping to reduce common programming errors.”
High-severity flaws on the decline, too
However, the researchers also concluded that businesses must not rely on a single security testing solution, otherwise they’re risking missing important flaws: “For example, server misconfigurations represented an average of 18% of the total vulnerabilities found in the three years of tests. Without a multilayered security approach that combines SAST to identify coding flaws, DAST to examine running applications, SCA to identify vulnerabilities introduced by third-party components, and penetration testing to identify issues that might have been missed by internal testing, these types of vulnerabilities will likely go unchecked.”
There is more good news in the report, however. High-severity vulnerabilities, for example, are less likely. On average, over the past three years, 92% of the tests identified some kind of vulnerability, but just 27% of those tests contained high-severity vulnerabilities, and 6.2% contained critical-severity vulnerabilities.
On the flipside, cross-site scripting (XSS) is on the rise. Of all high-risk flaws found last year, 19% were found to be susceptible to XSS. Those interested in learning more can read the full report on this link.
