Black Duck Software,
Inc. ("Black Duck") announced the
publication of the
"2024
Software Vulnerability Snapshot" report highlighting
various industries' unique challenges and approaches to addressing software
vulnerabilities. The report, which analyzes data from over 200,000 dynamic
application security testing (DAST) scans conducted by Black Duck on
approximately 1,300 applications across 19 industry sectors from June 2023 to
June 2024, found significant variations in vulnerability types and remediation
practices.
The
findings provide insights into the current state of security for web-based
applications and systems, and the potential impact of security vulnerabilities
on business operations in high-risk sectors such as Finance, Insurance, and
Healthcare. Notably, the report identified that the Finance and Insurance
sector had the highest number of critical vulnerabilities (1,299), and the
Healthcare and Social Assistance sector had the second-highest (992) within the
data set.
Of
the 96,917 total vulnerabilities identified, the two most critical categories
were cryptographic failures (weaknesses in how an application secures sensitive
information), with over 30,000 instances, and injection vulnerabilities (when
malicious code tricks an application into executing unintended actions or
accessing data without proper authorization), with just over 4,800 instances.
Both pose significant threats to data across all industries, and potential
breaches could lead to the theft of personally identifiable information (PII),
financial data, and medical records, resulting in severe financial losses and
reputational damage.
Additionally,
the report found that there's no one-size-fits-all timeline for remediation
approaches. In fact, there's significant variance when it comes to the mean
time to remediate (MTTR) across industries, with stringent regulations forcing
Finance and Insurance to move quicker (28 days for smaller/lower complexity web
assets), compared to the Utilities sector, which had the longest time to close
(107 days for smaller/lower complexity web assets). This is likely due to the
sector operating on legacy systems that are difficult to patch and update.
Operational
disruptions pose a large business risk, no matter the industry. The research
found that widespread security misconfigurations (98% of applications affected)
threaten business continuity and service availability.
"The
high number of vulnerabilities found from the past year is a clear wake-up call
that businesses cannot remain stagnant when deploying new security measures,"
said Jason Schmitt, CEO, Black Duck. "The longer it takes for an organization
to patch a vulnerability, the larger the chance of exploitation. Software risk
equates to business risk, and with today's malicious actors being more
sophisticated than ever, it's increasingly important that businesses across
every sector build trust in their software by implementing a comprehensive and
integrated approach."
To learn more, download a
copy of the
"2024
Software Vulnerability Snapshot" report