Vulnerable applications continue to be the top attack vector in externally caused security breaches at many enterprise organizations.
In a 2019 Forrester Research survey, 42% of organizations that had experienced an external attack blamed the incident on a software security flaw, and 35% said it had resulted from a buggy web application. Organizational efforts to tackle the problem using today's app sec tools are being complicated by the increasing use of open-source components in enterprise apps, accelerating software delivery times and a constantly expanding attack surface.
Here are 30 data points, including analyst, vendor, and research reports and white papers, that provide a snapshot of the current state of application security.
Vulnerability stats
13,319: Number of vulnerabilities detected in 2019, in 1,607 apps
The number, which covers apps from 249 vendors, represents a 22.3% decrease from 2018 and a 33.3% decrease from the 19,954 vulnerabilities detected in 2017.
Source: Annual Vulnerability Review 2020 Report, Flexera
19.8%: Reduction in vulnerabilities disclosed, from Q1 2019 to Q1 2020
Researchers from Risk Based Security aggregated a total of 4,968 vulnerabilities in Q1 2020. Out of that, 561 vulnerabilities had a public exploit but did not have any detail in the Common Vulnerabilities and Exposures (CVE) database. According to the report, "Analysis suggests that the count of vulnerabilities disclosed in Q1 2020 may rise to 6,126 as further information comes to light, but will still represent a decline."
Source: 2020 Q1 Report Vulnerability QuickView, Risk Based Security
60.5%: Percentage of vulnerabilities in 2019 that were remotely exploitable
The number of remotely exploitable flaws as a percentage of all flaws increased by 5.3% between 2018 and 2019. At the same time, flaws that could only be exploited on the local network decreased to 30.6% in 2019 from 33% in 2018.
Source: Annual Vulnerability Review 2020 Report, Flexera
42%: Percentage of vulnerabilities in Internet-facing applications that are SQL injection errors
Other common vulnerabilities include cross-site scripting errors (19%), PHP vulnerabilities (16%), remote code execution (7%), and sensitive file disclosure flaws (5%). As the Edgescan report says, "SQL Injection was first discovered in 1998 and still lives happily on the Internet with its cousins XSS and RCE."
Source: Edgescan 2020 Vulnerability Stats Report
61%: Percentage of tested apps that had at least one high- or critical-severity vulnerability not listed in the OWASP Top 10
The number represented a 12% increase over the 49% of tested applications with similar vulnerabilities in 2018.
Source: 2019 Application Security Risk Report, Micro Focus
3.2: Average number of critical application vulnerabilities per website in 2019
The number has remained static over the past three years, though organizations in some industries—such as the arts and entertainment sector and manufacturing—appear to be making some headway in terms of reducing web application vulnerabilities. According to report issuer WhiteHat Security, "IT is one of the worst offenders when it comes to the sheer volume of vulnerabilities. One possibility could be based on its lack of regulation as compared to well-regulated industries like finance or healthcare."
Source: 2019 Application Security Statistics Report, WhiteHat Security
83.9%: Percentage of software vulnerabilities that already had a patch available on the day it was publicly disclosed
Zero-day flaws—or bugs exploited prior to first disclosure—remain relatively rare. Only 20 out of 13,319 vulnerabilities disclosed in 2019 were zero-day flaws. According to Flexera's report, "This highlights the fact there is time to remediate most vulnerabilities before exploitation risk increases."
Source: Annual Vulnerability Review 2020 Report, Flexera
Web app security
20,000: Number of times the average web app was attacked, January and February 2020
A majority of the attackers targeted common vulnerabilities such as path traversal, SQL injection, and XSS vulnerabilities. Nearly all of the attacks (99%) did not reach a targeted vulnerability. Contrast Security noted: "While the large number of unsuccessful attacks might provide some comfort, they also result in excessive noise for security and development teams."
Source: Application Security Intelligence BiMonthly Report, Contrast Security
26%: Proportion of web app vulnerability-scanning targets from 5,000 websites, web apps, servers, and network devices with high-severity vulnerabilities
Some 63% of the websites had vulnerabilities that were classified as being of medium severity. Report author Acunetix warns: "While people might think that web applications in general are slowly getting more secure, the truth is less optimistic. Applications that are protected by web vulnerability scanning are the ones that are becoming more secure."
Source: Web Application Vulnerability Report 2020, Acunetix
36%: Percentage of web application scanning targets with a CSRF flaw
Though the number of sites with cross-site request forgery (CSRF) flaws in them remains high, this year's number is 51% smaller than 2019's. Other vulnerabilities present in a high percentage of websites include cross-site scripting errors (25%) and vulnerable JavaScript libraries (24%).
Source: Web Application Vulnerability Report 2020, Acunetix
17%: Reduction from 2018 to 2019 in the number of web apps containing critical high-risk vulnerabilities
The number of web applications containing severe vulnerabilities in 2019 dropped substantially as well. On average, each web application had 22 vulnerabilities, of which four were severe.
Source: Web Applications Vulnerabilities and Threats, Positive Technologies
11%: Percentage of web applications with 15 or more security vulnerabilities, January and February 2020
Generally, a handful of applications accounted for a large number of vulnerabilities skewing the overall averages as a result. For example, though applications overall had an average of 12 SQL injection errors in them, the vulnerabilities existed only in 9% of tested applications. Notes report author Contrast Security, "For applications that have a large number of vulnerabilities, the noise created by alerts can cause significant bottlenecks."
Source: Application Security Intelligence BiMonthly Report, Contrast Security
The open-source factor
33%: Percentage of application security vulnerabilities stemming from embeddable open-source and third-party components
Between 2018 and 2019 alone, there was a 50% increase in unpatched library vulnerabilities. Says WhiteHat Security: "As more open source and third-party software is embedded, it’s creating an inherently insecure environment for production apps."
Source: 2019 Application Security Statistics Report, WhiteHat Security
99%: Proportion of 1,253 commercial codebases analyzed in 2019 from across 17 industries with open-source code
Out of 1,253 commercial codebases analyzed, a full 100% contained open-source code in nine of the 17 industries looked at. Synopsys said in its report, "Open source components and libraries are the foundation of literally every application in every industry. The need to identify, track, and manage open source has increased exponentially with the growth of its use in commercial software."
Source: 2020 Open Source Security and Risk Analysis Report, Synopsys
75%: Percentage of commercial codebases with at least one security vulnerability
Nearly half (49%) of the analyzed codebases contained high-risk security vulnerabilities. Furthermore, 82% had open-source components in them that were more than four years out of date, and 88% of the components had no development activity in at least two years.
Source: 2020 Open Source Security and Risk Analysis Report, Synopsys
445: Average number of open-source components per commercial codebase analyzed
This number represents a 49% increase from the 298 open-source components per codebase in 2018. Notes Synopsys, "While the percentage of codebases containing open source is nearing 100%, there has also been a dramatic, ongoing increase over the same period of the percentage of codebases comprising open source."
Source: 2020 Open Source Security and Risk Analysis Report, Synopsys
The state of DevSecOps
50%: Average number of apps always vulnerable to exploitation at organizations that have not adopted DevSecOps
For organizations that have implemented a mature DevSecOps approach, the average number of apps that are always vulnerable to attack is 22%. According to WhiteHat Security, "In general, remediation rates have fallen, which is a huge concern. We can attribute this to an increased awareness and focus on application security, which naturally expands the scope of applications to be tested."
Source: 2019 Application Security Statistics Report, WhiteHat Security
89%: Percentage of IT respondents who said security and dev teams need to be in closer contact to create a true DevOps culture
What's more, 77% of the respondents to this 2019 survey of 1,310 IT decision makers said similar communication was necessary between developers, operations, and security; 34% said the siloed nature of these functions makes it harder to create a DevOps culture.
Source: Trend Micro 2019 Global DevOps Survey
58%: Percentage of respondents who said setting common goals can help drive cultural change within IT security, development, and operations teams
In the same survey of IT decision makers, 61% said it is important to foster greater integration between the different teams, and 50% said it is important to share learning experience across the different teams. Concluded Trend Micro in its report, “History of software development shows that the biggest and best process improvements never happen quickly due to the most valuable variable, people, who have existing behavioral patterns and cultural components."
Source: Trend Micro 2019 Global DevOps Survey
8%: Percentage of organizations that have secured at least 75% of their cloud-native apps using DevSecOps
Over the next two years, 68% of organizations plan to use DevSecOps practices to secure a majority of their cloud applications. Said report producer Enterprise Strategy Group, "This study reveals that while organizations have started, there is more work to be done when it comes to securing their cloud-native apps with the benefits DevSecOps offers."
Source: Security for DevOps - Enterprise Survey Report, Enterprise Strategy Group
Cloud-native apps
37%: Percentage of respondents who said API security is their top priority for cloud-native apps
One-third of respondents to a survey of 371 IT and security professionals said their organizations planned to spend more on securing APIs to protect against threats to their cloud app environment. According to Enterprise Strategy Group, "API security was the top area reported for current or projected incremental spend."
Source: Security for DevOps - Enterprise Survey Report, Enterprise Strategy Group
82%: Proportion of organizations with different teams assigned to secure cloud-native applications
About half of these organizations said they planned to merge these responsibilities with other teams in future; 32% plan on retaining a separate team for cloud application security.
Source: Security for DevOps - Enterprise Survey Report, Enterprise Strategy Group
Scanning for vulnerabilities
83%: Percentage of apps with at least one security flaw at initial vulnerability scan
From a sample of over 85,000 applications across some 2,300 companies globally, 70% of development organizations reduce the number of flaws in their code after the initial scan or do not introduce any new flaws. Said report issuer Veracode, "The research found that fixing vulnerabilities has become just as much a part of the development process as improving functionality, suggesting developers are shifting their mindset to view the security of their code as equal to other value metrics."
Source: 10th State of Software Security Report, Veracode
64%: Of bugs found on initial scans of application code, percentage related to information leakage
The two other most common flaws uncovered during an initial scan were cryptographic vulnerabilities (62%) and CRLF injection (61%).
Source: 10th State of Software Security Report, Veracode
68: Median number of days required to remediate apps that are scanned less than once per month
Meanwhile, the median time to remediate applications that are scanned daily is just 19 days. Said Veracode, "Frequent scanning does more than help find flaws; it helps companies significantly reduce risk."
Source: 10th State of Software Security Report, Veracode
Days to remediate
50.5: Average number of days it took for organizations to remediate critical vulnerabilities in Internet-facing apps
The average time to patch an Internet-facing system in 2019 was 71 days; for an internal system the average time to patch was 50 days. Report author Edgescan also said, "On average 67.8% of assets had at least one CVE with a CVSS score of 4.0 or more. From a PCI DSS standpoint, this would result in an average of 67.8% of assets failing PCI compliance."
Source: Edgescan 2020 Vulnerability Stats Report
Patching
13%: Percentage of security pros who hadn't patched their web application frameworks at all over the past 12 months
Nearly six in 10 (59%) of global firms use web application firewalls (WAFs) to protect against threats. But 38% said they didn't use a WAF because they don't process sensitive information via their web apps.
Source: 2019 Barracuda Networks Survey
IAST
32%: Percentage of security decision makers that implemented IAST in their dev environment in 2019
Some 35% implement dynamic application security testing (DAST) during the development phase. Over the next 12 months, more decision makers (39%) plan to implement interactive application security testing (IAST) in development compared to DAST (34%). Notes Forrester in this report, "The move from DAST to IAST helps teams embed security into their existing development processes."
Source: The State of Application Security 2020, Forrester Research
Container security
37%: Percentage of security pros that plan to implement container security during development
About 20% of security professionals plan to implement container security during software design. Cautions Forrester, "Security pros must continue to invest in container security at the early phases of the lifecycle to use trusted images and secrets management."
Source: The State of Application Security 2020, Forrester Research
Software composition analysis
37%: Percentage of organizations that plan to do SCA during development to reduce risk from vulnerable open-source components
However, 39% of firms surveyed still plan on doing software composition analysis (SCA) only during the testing phase, where remediation is much harder. Said Forrester about that: "As open source vulnerabilities continue to increase, teams will benefit from SCA implementations that help them prioritize vulnerabilities and remediate them in line with the development process."
Source: The State of Application Security 2020, Forrester Research
Why these numbers matter
Beyond the alarming nature of some of these numbers lies the practical takeaways. For DevOps, QA, and dedicated app sec teams, this is what will move the needle in the right direction.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
