What vulnerabilities and security issues affect web and mobile applications?

The 2021 Software Vulnerability Snapshot report reveals issues affecting web and mobile applications and which AppSec tools and activities can minimize risk.

One of the most compelling reasons organizations use third-party application security testing is to expand their own software security testing capacity when circumstances make adding new resources problematic. This is certainly the case in today’s pandemic environment. According to a study by Cybersecurity Ventures, the number of cybersecurity vacancies worldwide currently exceeds 3.5 million, or enough people to fill 50 football stadiums.

In the United States, almost half of the estimated 950,000 cybersecurity jobs are unfilled. The U.S. Department of Commerce’s National Institute of Standards and Technology’s CyberSeek project calls it a dangerous shortage, especially considering the rise in cyberattacks, data breaches, and ransomware heists over the past few years. of the last 18 months.

“We have seen a surge in demand for assessment throughout the pandemic,” said Girish Janardhanudu, vice president of security consulting at Synopsys Software Integrity Group. “Cloud-based deployments, modern technology frameworks, and the rapid pace of delivery require security groups to respond faster as software is released. With insufficient AppSec resources in the market, organizations are leveraging application testing services such as those provided by Synopsys to flexibly scale their security testing.

Synopsys recently released its “2021 Software Vulnerability Snapshot” report, examining data from 3,900 tests on commercial web and mobile applications conducted by Synopsys security consultants in 2020. Industries represented in the report include software and internet, financial services, business services, manufacturing, media and entertainment, and healthcare. Testing included Penetration Testing, Dynamic Application Security Testing, and Mobile Application Security Scanning, designed to probe running applications as a real attacker would, with the goal of identifying vulnerabilities that could then be sorted and corrected if necessary.

The Need for a Full Range of Software Security Testing

97% of tests revealed some form of vulnerability, with 30% showing high-risk vulnerabilities and 6% showing critical-risk vulnerabilities. Twenty-eight percent of tested applications were exposed to cross-site scripting attacks, one of the most widespread and destructive high-risk/critical vulnerabilities affecting web applications.

The report clearly explains why a comprehensive range of application security testing is an essential part of software risk management in today’s world. While “transparent box” type testing such as static application security testing (SAST) can provide visibility into security issues early in the software development lifecycle, SAST cannot uncover security vulnerabilities. of execution. And some vulnerabilities cannot be easily detected by automated testing tools – they require human oversight to be discovered.

For example, the only effective way to detect an insecure direct object reference (IDOR), a problem that allows attackers to manipulate references in order to access unauthorized data, is to have a human perform a manual test.

Obviously, there is no best approach to testing application security. Humans should perform the security tests they are most effective at, with their efforts bolstered by automated testing.

Highlights from the 2021 Software Vulnerability Snapshot Report

  • The top 10 OWASP 2021 vulnerabilities were discovered in 76% of targets. Application and server misconfigurations accounted for 21% of overall vulnerabilities found in testing, represented by the OWASP A05:2021—Security Misconfiguration category. And 19% of the total vulnerabilities found were related to the OWASP A01:2021—Broken Access Control category.
    Top 10 OWASP 2021 vulnerabilities discovered in 76% of targets | Synopsis
  • Unsecured data storage and communication vulnerabilities plague mobile apps. Eighty percent of vulnerabilities found in mobile testing were related to insecure data storage. These vulnerabilities could allow an attacker to gain access to a mobile device either physically (i.e. by accessing a stolen device) or through malicious software. Fifty-three percent of mobile tests revealed vulnerabilities associated with insecure communications.
  • Even lower-risk vulnerabilities can be exploited to facilitate attacks. Sixty-four percent of vulnerabilities discovered during testing are rated as minimal, low, or medium risk. In other words, the problems detected are not directly exploitable by attackers to gain access to systems or sensitive data. However, even lower-risk vulnerabilities can be exploited to facilitate attacks. For example, detailed server banners, present in 49% of tests, provide information such as server name, type, and version number, which could allow attackers to perform targeted attacks on tech stacks. specific.
  • There is an urgent need for a software bill of materials. Note the number of vulnerable third-party libraries used; they were found in 18% of penetration tests conducted by Synopsys Application Testing Services. Since many companies use hundreds of software applications or systems, each likely having hundreds or even thousands of different third-party and open-source components, an accurate and up-to-date software bill of materials is urgently needed to effectively track these components. .

Snapshot Software Vulnerability Report 2021 | Synopsis

Casey J. Nelson

Synagogues use mobile apps like Venmo to collect tzedakah – J.

Mobile apps: helping businesses connect with their customers

Fintech puts insurance on mobile apps from Indonesia to Vietnam

Bengaluru Auto Unions to launch its own mobile apps for ride sharing

Meta discovers 400 mobile apps to steal Facebook login credentials

Investall Announces Launch of AI-Powered Mandarin Chinese and Portuguese Website and Mobile Apps