According to one year-long DAST analysis, software misconfigurations and exposed unpatched vulnerabilities were rife — creating opportunities for cyber exploitation and incidents
Based on analyses of data from over 200,000 dynamic application security testing (DAST) scans conducted on approximately 1,300 applications across 19 industries from June 2023 to June 2024 by a cybersecurity firm, the following trends have been disclosed to the media.
First, applications from the finance and insurance industries involved in the analysis had the highest number of critical vulnerabilities (1,299), followed by those of the healthcare and social assistance industry within the data set.
Second, of the total of 96,917 vulnerabilities identified, the two categories deemed most critical were cryptographic failures (weaknesses in how an application secures sensitive information), with over 30,000 instances; and injection vulnerabilities (when malicious code tricks an application into executing unintended actions or accessing data without proper authorization), with about 4,800 instances.
Third, there was significant variance when it came to the “mean time to remediate” value across industry apps analyzed, with stringent regulations forcing the finance and insurance industries to move quicker (28 days for smaller/lower complexity web assets), compared to the utilities industry players involved, which had the longest time to close (107 days for smaller/lower complexity web assets).
Finally, 98% of applications analyzed contained security misconfigurations that could pose a large business risk, regardless of industry.
According to Jason Schmitt, CEO, Black Duck (formerly Synopsys Software Integrity Group), the firm that disclosed its data analysis, the high number of vulnerabilities found in the snapshot of software security vulnerabilities suggests that “businesses cannot remain stagnant when deploying new security measures. The longer it takes for an organization to patch a vulnerability, the larger the chance of exploitation. Software risk equates to business risk, and with today’s malicious actors being more sophisticated than ever, it’s increasingly important that businesses across every sector build trust in their software by implementing a comprehensive and integrated approach.”
