Today, Synopsys has released its 2023 Software Vulnerability Snapshot report, showcasing a notable decline in vulnerabilities within target applications. The Synopsys Cybersecurity Research Center (CyRC) analysed the data, revealing a decrease from 97% in 2020 to 83% in 2022. This positive trend suggests that practices such as code reviews, automated testing, and continuous integration are effectively reducing common programming errors.
The report spans three years of data (2020 – 2022) obtained from tests conducted by Synopsys Security Testing Services. These tests targeted web applications, mobile applications, network systems, and source code, employing various security testing techniques like penetration testing, dynamic application security testing (DAST), mobile application security testing (MAST), and network security testing.
While the industry celebrates this progress, the data underscores the inadequacy of relying solely on a single security testing solution, such as static application security testing (SAST). Notably, server misconfigurations accounted for an average of 18% of total vulnerabilities discovered over the three-year testing period. The report emphasizes the importance of a multi-layered security approach, combining SAST to identify coding flaws, DAST to assess running applications, SCA to pinpoint vulnerabilities from third-party components, and penetration testing to catch issues overlooked during internal testing.
Jason Schmitt, the general manager of the Synopsys Software Integrity Group, commented on the significance of the decrease in known vulnerabilities, stating, “For the first time in years, we’re seeing a decrease in the number of known vulnerabilities in software, which provides new hope that organisations are taking security seriously and prioritising a strategic and holistic approach to software security in order to make a lasting impact.”
Key findings from the report include:
- High-severity vulnerabilities are less prevalent, with only 27% of tests revealing high-severity vulnerabilities and 6.2% containing critical-severity vulnerabilities.
- Information leakage remains a top security risk, constituting an average of 19% of total vulnerabilities.
- Cross-site scripting vulnerabilities are on the rise, accounting for 19% of high-risk vulnerabilities in 2022.
- Third-party software poses increased risks, with 25% of tests uncovering vulnerabilities in third-party libraries among the top 10 security issues in 2022.
To delve deeper into the findings, interested parties can download the 2023 Software Vulnerability Snapshot: A Three-Year Analysis of the 10 Most Common Web and Software Application Vulnerabilities or read the detailed blog post.