Vulnerable applications continue to be the top attack vector in externally caused security breaches at many enterprise organizations. In a 2019 Forrester Research survey, 42% of organizations that had experienced an external attack blamed the incident on a software security flaw, and 35% said it had resulted from a buggy web application. Organizational efforts to tackle the problem using today's app sec tools are being complicated by the increasing use of open-source components in enterprise apps, accelerating software delivery times and a constantly expanding attack surface.
Here are 30 data points, including analyst, vendor, and research reports and white papers, that provide a snapshot of the current state of application security.
Security Vulnerability Stats
13,319: Number of vulnerabilities detected in 2019, in 1,607 apps
19.8%: Reduction in vulnerabilities disclosed, from Q1 2019 to Q1 2020
60.5%: Percentage of vulnerabilities in 2019 that were remotely exploitable
42%: Percentage of vulnerabilities in Internet-facing applications that are SQL injection errors
61%: Percentage of tested apps that had at least one high- or critical-severity vulnerability not listed in the OWASP Top 10
3.2: Average number of critical application vulnerabilities per website in 2019
83.9%: Percentage of software vulnerabilities that already had a patch available on the day it was publicly disclosed
Web Application Security
20,000: Number of times the average web app was attacked, January and February 2020
26%: Proportion of web app vulnerability-scanning targets from 5,000 websites, web apps, servers, and network devices with high-severity vulnerabilities
36%: Percentage of web application scanning targets with a CSRF flaw
17%: Reduction from 2018 to 2019 in the number of web apps containing critical high-risk vulnerabilities
11%: Percentage of web applications with 15 or more security vulnerabilities, January, and February 2020
The Open Source Factor
33%: Percentage of application security vulnerabilities stemming from embeddable open-source and third-party components
99%: Proportion of 1,253 commercial codebases analyzed in 2019 from across 17 industries with open-source code
75%: Percentage of commercial codebases with at least one security vulnerability
445: Average number of open-source components per commercial codebase analyzed
The State of DevSecOps
50%: Average number of apps always vulnerable to exploitation at organizations that have not adopted DevSecOps
89%: Percentage of IT respondents who said security and dev teams need to be in closer contact to create a true DevOps culture
58%: Percentage of respondents who said setting common goals can help drive cultural change within IT security, development, and operations teams
8%: Percentage of organizations that have secured at least 75% of their cloud-native apps using DevSecOps
Cloud Native Applications
37%: Percentage of respondents who said API security is their top priority for cloud-native apps
82%: Proportion of organizations with different teams assigned to secure cloud-native applications
Scanning for Vulnerabilities
83%: Percentage of apps with at least one security flaw at initial vulnerability scan
64%: Of bugs found on initial scans of application code, percentage related to information leakage
68: Median number of days required to remediate apps that are scanned less than once per month
Days to Remediate
50.5: Average number of days it took for organizations to remediate critical vulnerabilities in Internet-facing apps
Patching
13%: Percentage of security pros who hadn't patched their web application frameworks at all over the past 12 months
Interactive Application Security Testing (IAST)
32%: Percentage of security decision makers that implemented IAST in their dev environment in 2019
Container Security
37%: Percentage of security pros that plan to implement container security during development
Software Composition Analysis (SCA)
37%: Percentage of organizations that plan to do SCA during development to reduce risk from vulnerable open-source components
Beyond the alarming nature of some of these numbers lies the practical takeaways. For DevOps, QA, and dedicated app sec teams, this is what will move the needle in the right direction. At Service Ventures, we are keeping an eye on founders with interesting startups that are addressing some of the above requirements.
/Service Ventures Team
Comments