Synopsys’s Report: What Apps Don’t Have Security Holes?!
Ninety-five percent of web applications — that’s not a typo, 95% — have security holes.
I know program security is bad, and so do you. We all know it. But when Synopsys announced in its latest report, the “Software Vulnerability Snapshot: The 10 Most Common Web Application Vulnerabilities.” that 95% of tested programs were found to have some form of vulnerability, my mouth dropped open.
But you know what’s worse? That’s better than last year’s result, which found 97% of tested applications had security holes.
Now, it’s not like these were all showstoppers. Three-quarters of the bugs were medium-risk or lower. Still, that left 20% with high-risk vulnerabilities and 4.5% with critical vulnerabilities. Again those numbers were better than last year’s report, but still, it’s pretty darn ugly.
Tests and Targets
The results were from 4,300 security tests conducted on 2,700 software targets. This included web applications, mobile applications, source code files, and network systems. The vast majority, 82%, were web applications or systems. While 13% were mobile applications, and the remainder were either source code or network systems/applications. Industries represented in the tests included software and internet, financial services, business services, manufacturing, consumer services, and healthcare.
Most of the tests were intrusive “black box” or “gray box” tests. This included penetration testing, dynamic application security testing (DAST), and mobile application security testing (MAST) that emulated real-world attacker probes.
This means, according to Girish Janardhanudu, Synopsys Software Integrity Group‘s vice president of security consulting: “intrusive black-box testing techniques like DAST and pen testing are particularly effective for surfacing exploitable vulnerabilities in the software development lifecycle and should be part of any well-rounded application security testing regimen.” He’s right.
While static analysis, dynamic analysis, and software composition analysis all have their place in securing code, real-world testing of the finished product is essential. For example, 22% of the total targets had some vulnerability to cross-site scripting (XSS) vulnerabilities. Almost all XSS vulnerabilities only show up when the application is running.
Top 10 Vulnerabilities
Synopsys also found OWASP’s Top 10 vulnerabilities in 77% of the targets. Come on, people! Read the guide on OWASP testing and do it! It’s not that hard! Of those, application and server misconfigurations represented 18% of the overall vulnerabilities. Another 18% were because of Broken Access Control problems. In other words, Ops also needs to step up its security game. Security problems don’t all fall on developers’ shoulders.
They also discovered — tell me if you’ve heard this before — that there’s an urgent need for a Software Bill of Materials (SBOM). Vulnerable third-party libraries were found in 21% of the penetration tests. Until you know exactly what’s in your code, you’re helpless against attacks made on vulnerable components. Just ask anyone who used the wrong version of Log4j if you don’t believe me.
Don’t think for a minute that it’s just the high-level security holes that can get you. As Synopsys pointed out, lower-risk vulnerabilities can also be exploited to facilitate attacks. Take, for instance, commonplace verbose server banners. They’re found in almost half of web-based applications, and they provide dangerous data such as your server’s operating system name, type, and version number. Armed with that information, an attacker knows exactly what kind of attacks to throw at your technology stack.
Synopsys also warns that external security testing is a must. Of course, they offer their own Synopsys Application Service Testing Tools, but they’re not wrong. That said, they also think good, old human testing still has its place. It may be time-consuming, but it’s still important.
Finally, the company also warns that we’re doing a lousy job of protecting our network traffic and servers. Weak SSL/TLS configurations were the top vulnerability found in the Synopsys AST services overall tests. A shocking 77% of the test targets had poor SSL/TLS configurations. Now, this is simply unacceptable. Basic network security isn’t under development’s purview. Still, if you suspect your company’s letting any random hacker luser get at your applications thanks to poor internet security, it’s time to raise hell with your CISO, CIO, and CTO.