Synopsys’ 2023 Software Vulnerability Snapshot report reveals a significant reduction in vulnerabilities in target applications, dropping from 97% in 2020 to 83% in 2022, signaling positive industry advancements in code reviews and automated testing. Despite the progress, the report emphasizes the necessity of a multi-layered security approach, cautioning against relying solely on static application security testing and highlighting persisting risks such as information leakage and the rise of cross-site scripting vulnerabilities.
17 November 2023 – Synopsys, Inc. has released its much-anticipated 2023 Software Vulnerability Snapshot report, shedding light on a noteworthy decline in vulnerabilities within target applications. The data, meticulously analyzed by the Synopsys Cybersecurity Research Center (CyRC), reveals a substantial decrease from 97% in 2020 to 83% in 2022, indicating a positive trend attributed to the adoption of robust practices such as code reviews, automated testing, and continuous integration.
This comprehensive report encapsulates three years of data (2020-2022) derived from extensive testing by Synopsys Security Testing Services. The test parameters span web applications, mobile applications, network systems, and source code, employing a real-world attacker approach through various security testing techniques, including penetration testing (pen testing), dynamic application security testing (DAST), mobile application security testing (MAST), and network security testing.
While the decrease in vulnerabilities marks a significant stride for the industry, the report underscores the inadequacy of relying on a single security testing solution, such as static application security testing (SAST). Notably, server misconfigurations, averaging 18% of total vulnerabilities over the three years, highlight the importance of adopting a multi-layered security approach. This strategy combines SAST for identifying coding flaws, DAST for examining running applications, software composition analysis (SCA) to pinpoint vulnerabilities introduced by third-party components, and penetration testing to identify potential issues overlooked during internal testing.
Jason Schmitt, General Manager of the Synopsys Software Integrity Group, commented on the report’s encouraging findings, stating, “For the first time in years, we’re seeing a decrease in the number of known vulnerabilities in software, which provides new hope that organizations are taking security seriously.” He emphasized the necessity of a strategic and holistic approach to software security in the face of increasingly sophisticated hackers, advocating for a multi-layered security approach to effectively mitigate software risks and protect businesses from potential exploitation.
Key additional findings highlighted in the report include:
- High-severity vulnerabilities less likely: While 92% of tests over the past three years uncovered vulnerabilities, only 27% of those tests contained high-severity vulnerabilities, with 6.2% containing critical-severity vulnerabilities.
- Persistent risk of leaked information: Information leakage remains a top security concern, accounting for an average of 19% of total vulnerabilities.
- Rise in cross-site scripting vulnerabilities: In 2022, 19% of high-risk vulnerabilities were susceptible to cross-site scripting attacks.
- Increased risks from third-party software: Among the top 10 security issues in 2022, 25% of tests found vulnerable third-party libraries to be a risk, emphasizing the importance of tracking all component versions, including third-party and open-source components.
This report serves as a valuable resource for industry professionals, offering insights into the evolving landscape of software vulnerabilities and advocating for proactive, multi-layered security measures.