software programming
Listen to this article

Editor’s brief: With rising cybersecurity breaches due to external threats as well as software quality issues, there is a pressing need to get serious with a Software Bill of Materials (SBOM). And with the WFH (work frome home) phenomenon still forcing many folks to work remotely, the challenges of insecure data storage and communication vulnerabilities have escalated, since offices tend to have more perimeter defenses and controls. Read more below.

SINGAPORE Synopsys, Inc. (Nasdaq: SNPS) today published “2021 Software Vulnerability Snapshot: An Analysis by Synopsys Application Security Testing Services,” a report examining data from 3,900 tests conducted on 2,600 targets (i.e., software or systems) during 2020. The information was gathered from tests conducted by Synopsys security consultants in our assessment centers for our clients. These tests probed live applications like a real-world attacker would, and included penetration testing, dynamic application security testing, and mobile application security analyses.

Eighty-three percent of the examined objects were websites or web-based systems; twelve percent were mobile apps; the rest were either source code or network applications or systems. The healthcare, media, entertainment, manufacturing, financial services, and healthcare sectors were all represented in the tests.

“Cloud-based deployments, modern technology frameworks, and the rapid pace of delivery is forcing security groups to react more quickly as software is released,” said Girish Janardhanudu, vice president, security consulting at Synopsys Software Integrity Group. “With insufficient AppSec resources in the market, organisations are leveraging application testing services such as those Synopsys provides in order to flexibly scale their security testing. We’ve seen a heavy increase in assessment demand throughout the pandemic.”

From a total of 3,900 tests, 97% found vulnerabilities in their targets. Only a third of the targets had low-risk vulnerabilities, while 6 percent had critical-risk ones. The findings prove that a comprehensive toolkit should be used for security testing to ensure that a software or hardware system is safe from flaws. As an example, one of the most common and destructive high- /critical-risk vulnerabilities impacting web applications is cross-site scripting (XSS), and 28% of the total test targets were vulnerable in some way to this attack. Most XSS flaws can only be exploited when the application is actually being used.

Other report highlights

  • 2021 OWASP Top 10 vulnerabilities were discovered in 76% of the targets. Application and server misconfigurations were 21% of the overall vulnerabilities found in the tests, represented by the OWASP A05:2021 — Security Misconfiguration category. And 19% of the total vulnerabilities found were related to the OWASP A01:2021 — Broken Access Control category.
  • Insecure data storage and communication vulnerabilities plague mobile applications.Eighty percent of the discovered vulnerabilities in the mobile tests were related to insecure data storage. These vulnerabilities could allow an attacker to gain access to a mobile device either physically (i.e., accessing a stolen device) or through malware. Fifty-three percent of the mobile tests uncovered vulnerabilities associated with insecure communications.
  • Even lower-risk vulnerabilities can be exploited to facilitate attacks. Sixty-four percent of the vulnerabilities discovered in the tests are considered minimal, low, or medium-risk. That is, the issues found are not directly exploitable by attackers to gain access to systems or sensitive data. Nonetheless, surfacing these vulnerabilities is not an empty exercise, as even lower-risk vulnerabilities can be exploited to facilitate attacks. For example, verbose server banners — found in 49% of the tests — provide information such as server name, type, and version number, which could allow attackers to perform targeted attacks on specific technology stacks.
  • An urgent need for a software Bill of Materials. Of note was the number of vulnerable third-party libraries in use, found in 18% of the penetration tests conducted by Synopsys Application Testing Services. This corresponds with the 2021 OWASP Top 10 category A06:2021 — Use of Vulnerable and Outdated Components. Most organisations typically use a mix of custom-built code, commercial off-the-shelf code, and open source components to create the software they sell or use internally. Often those organisations have informal — or no — inventories detailing exactly what components their software is using, as well as those components’ licenses, versions, and patch status. With many companies having hundreds of applications or software systems in use, each themselves likely having hundreds to thousands of different third-party and open source components, an accurate, up-to-date software Bill of Materials is urgently needed to effectively track those components.