Key takeaways from the “2024 Software Vulnerability Snapshot” report
Jul 21, 2025 / 5 min read
Subscribe
For DevSecOps professionals, staying ahead of the curve means understanding the current threat landscape, identifying common pitfalls, and continuously refining strategies. The “2024 Software Vulnerability Snapshot” report by Black Duck provides an invaluable look into the state of application security and offers critical insights drawn from over 200,000 dynamic application security testing (DAST) scans performed on approximately 1,300 applications across 19 industry sectors.
Even though that’s a lot of numbers, the report isn't just another collection of statistics; it's a call to action for every DevSecOps team. It underscores the persistent nature of certain vulnerabilities and highlights the urgent need for a holistic, integrated security testing strategy. Let's dive into the key takeaways that every DevSecOps practitioner should be acting upon.
The report kicks off with a stark reminder of a vast vulnerability landscape. A staggering 96,917 vulnerabilities were identified in the scans. Among the top 10 vulnerability classes, Insufficient Transport Layer Protection emerged as the most frequently identified, with 30,712 instances. This means data in transit is often not properly encrypted, leaving it ripe for interception. Hot on its heels was Missing Secure Headers, with 22,321 instances. The absence of crucial HTTP security headers leaves web applications exposed to a variety of attacks.
What's particularly concerning for DevSecOps teams is the prevalence of these issues. For instance, Missing Secure Headers affected a staggering 97% of clients scanned, while Insufficient Transport Layer Protection was found in 87% of clients. This presents a clear area for improvement through automated checks and policy enforcement within CI/CD pipelines.
Not all vulnerabilities are created equal. The report drills down into the vulnerabilities classified as critical risk or requiring urgent attention. Insufficient Transport Layer Protection again topped this list with 4,882 critical instances.
Cross-Site Scripting (XSS) followed with 2,256 critical instances. XSS remains a potent threat, enabling attackers to hijack sessions or steal sensitive data. Also notable was Information Leakage, with 510 critical instances.
One category that stood out for its urgency was Abuse of Functionality, which had 36 instances flagged as requiring urgent attention. While seemingly an insignificant number, these vulnerabilities are particularly dangerous because they involve misusing legitimate application features. That means they can often be exploited directly without needing complex bypasses, potentially leading to privilege escalation.
The report's alignment with OWASP Top 10 categories provides further context on the discovered vulnerabilities.
- A02:2021-Cryptographic Failures (Sensitive Data Exposure): This was a massive issue, with 30,726 vulnerabilities identified, including 4,882 critical-risk instances. It affected 86% of clients, indicating pervasive problems in protecting sensitive data.
Contributing Common Weakness Enumerations (CWEs) include CWE-319 (cleartext transmission of sensitive information), CWE-330 (use of predictable values for crypto keys/passwords), and CWE-311 (missing encryption of sensitive data). These are fundamental flaws that DevSecOps pipelines should be actively designed to prevent and detect.
- A03:2021-Injection: This category accounted for 4,814 vulnerabilities, with 2,491 of them critical. Found in 59% of clients, injection attacks like SQL Injection and Command Injection remain a persistent and severe threat. The report lists numerous contributing CWEs, many of which relate to improper neutralization of input that allows for code or command execution.
- A05:2021-Security Misconfiguration: This was the most widespread OWASP category, with 36,321 vulnerabilities affecting 98% of clients. While 84% of these were deemed "informational" by Black Duck experts (meaning they don't pose a direct risk), such information leakage can be a crucial first step for attackers planning more-targeted exploits. DevSecOps practices should include configuration-as-code and regular audits to minimize these misconfigurations.
The vulnerability landscape isn't uniform across industries. The report flags several as high-risk.
- Finance and Insurance led with 1,299 critical vulnerabilities.
- Healthcare and Social Assistance followed closely with 992 critical vulnerabilities.
- Information Services recorded 446 critical vulnerabilities.
A particularly interesting, and perhaps counterintuitive, finding for DevSecOps teams is that small- and medium-complexity sites tended to harbor more critical vulnerabilities than larger ones, especially in the Finance and Insurance sector. This suggests that smaller projects or applications might not receive the same level of security scrutiny or resources—a dangerous oversight.
Discovering vulnerabilities is only half the battle; remediating them swiftly is crucial. The report reveals significant disparities in time-to-close (TTC) for critical vulnerabilities across industries.
- The Utilities sector showed some of the longest TTCs, especially for small-complexity (107 days) and medium-complexity (an alarming 876 days) sites. This might be attributed to legacy systems in the Utilities sector and limited cybersecurity resources.
- Educational Services also struggled, with TTCs of 342 days for small-complexity sites. Budget limitations and lack of dedicated personnel are likely factors.
- Conversely, the Finance and Insurance sector demonstrated rapid responses, closing critical vulnerabilities in small-complexity sites in just 28 days, medium-complexity sites in 53 days, and large-complexity sites in 78 days. Heavy regulation and the highly sensitive nature of their data likely drive the urgency to close critical vulnerabilities no matter the site’s complexity.
- Healthcare and Social Assistance also performed relatively well, with average TTCs of 87 days (small-complexity sites), 30 days (medium-complexity sites), and 20 days (large-complexity sites).
For DevSecOps professionals, the data reinforces the need for streamlined remediation workflows, clear ownership, and metrics to track and improve TTC. Integrating security tools into developer workflows can significantly accelerate this process.
The “2024 Software Vulnerability Snapshot” report is based on DAST scans, and it rightly champions DAST as a critical component of a modern security strategy. DAST is a black-box methodology, meaning it tests applications in their running state, simulating how a real attacker would interact with them without needing source code access. This allows DAST tools to find vulnerabilities that manifest only at runtime, such as certain authentication problems, server configuration errors, and reflected XSS. The report highlights DAST's growing relevance due to increasing application complexity, evolving threats, regulatory demands (like GDPR and PCI DSS).
Crucially for DevSecOps, DAST can be integrated both in preproduction (within CI/CD pipelines for early detection and cheaper fixes) and production environments (for continuous monitoring). A combination of preproduction and production DAST often provides the most comprehensive coverage, with extensive preproduction DAST supplemented by production scanning.
Here are the key actions DevSecOps teams should prioritize.
- Target high-impact vulnerabilities: Aggressively address Sensitive Data Exposure (Cryptographic Failures) and Injection vulnerabilities. These consistently ranked as major threats in the report.
- Shrink remediation windows: Focus on reducing time-to-close for critical vulnerabilities. Automate, integrate, and empower developers to fix issues quickly.
- Tackle misconfigurations: Systematically identify and rectify security misconfigurations across all applications and environments. Infrastructure-as-code and policy-as-code can be powerful allies here.
- Embrace the testing trifecta: Implement and integrate DAST, static application security testing (SAST), and software composition analysis (SCA) throughout the software development life cycle. Shift security left by testing early and often, but also extend it with production monitoring.
- Automate in CI/CD: Embed DAST (and SAST/SCA) into your CI/CD pipelines to make security testing an automated, seamless part of development.
- Foster a security culture: Promote security awareness and shared responsibility across development, security, and operations teams. The findings about smaller-complexity sites underscore the need for universal security understanding.
- Don't underestimate "informational" findings: While not immediately critical, information leakage vulnerabilities can provide attackers with reconnaissance data. When discovered, review these issues to make informed decisions on configuration hardening.
The “2024 Software Vulnerability Snapshot” report paints a clear picture: The threat landscape is dynamic and demanding, but not insurmountable. For DevSecOps professionals, the report’s findings are a crucial benchmark and a catalyst for action. By embracing a comprehensive, integrated, and automated approach to security—leveraging the combined strengths of DAST, SAST, and SCA—DevSecOps teams can significantly reduce risk exposure, ensure regulatory compliance, and safeguard the trust placed in their software.
