A Three-Year Analysis of the 10 Most Common Web and Software Application Vulnerabilities
To produce the “Software Vulnerability Snapshot” report, Black Duck Cybersecurity Research Center (CyRC) researchers and Black Duck® Security Testing Services consultants used anonymized data from three years of tests conducted on commercial software systems and applications.
The Black Duck tests shed light on persistent vulnerabilities that remain significant challenges to web and software application security, especially the top vulnerabilities related to
The tests also underscore the ongoing dangers posed by vulnerable third-party libraries and the need for robust software supply chain security in software development environments, where well over 90% of software contains open source.
Sixteen industry verticals are represented in the report, including software and internet, financial services, insurance, business services, manufacturing, media and entertainment, and healthcare.
Application security (AppSec) tests performed include penetration testing, dynamic application security testing, and mobile application security testing—all designed to probe running applications the way a real-world hacker would.
The report makes it clear why a full spectrum of AppSec testing is essential to managing software risk. While testing tools such as static application security testing (SAST) can shed light on security issues early in the software development life cycle, SAST cannot uncover runtime vulnerabilities. Likewise, several vulnerabilities cannot be detected by automated tools and need human oversight to uncover.
Out of the roughly 12,000 tests run by CyRC in the three-year span
A Three-Year Analysis of the 10 Most Common Web and Software Application Vulnerabilities