There has been a significant decrease in vulnerabilities found in target applications – from 97% in 2020 to 83% in 2022 – an encouraging sign that code reviews, automated testing and continuous integration are helping to reduce common programming errors, according to Synopsys.
The report details three years of data (2020 – 2022) derived from tests run by Synopsys Security Testing Services, with targets made up of web applications, mobile applications, network systems and source code.
Tests are designed to probe running applications as a real-world attacker would, incorporating multiple security testing techniques including penetration (pen) testing, dynamic application security testing (DAST), mobile application security testing (MAST) and network security testing.
Although this is a positive development for the industry, the data also demonstrates that relying on a single security testing solution such as static application security testing (SAST) is no longer sufficient as an approach.
For example, server misconfigurations represented an average of 18% of the total vulnerabilities found in the three years of tests. Without a multilayered security approach that combines SAST to identify coding flaws, DAST to examine running applications, software composition analysis (SCA) to identify vulnerabilities introduced by third-party components, and penetration testing to identify issues that might have been missed by internal testing, these types of vulnerabilities will likely go unchecked.
Decrease in known software vulnerabilities
Advancements in programming languages and integrated development environments (IDEs) now provide built-in checks and tools that help developers catch errors before they become significant issues. In the case of popular open source projects, many communities have also ramped up their scrutiny of code, leading to higher quality standards.
Unfort ..
Support the originator by clicking the read the rest link below.
