AppSec Decoded: Takeaways from the 2022 “Software Vulnerability Snapshot” report

Application security testing is now mainstream, which is a very good thing. As most organizations know, the majority of cyberattacks are against the application level. That means if your software isn’t secure, your products, your organization, and your customers aren’t secure either.

But building trust into software takes much more than running a few automated tools. All software security testing regimens are not equal. And if you lack a full spectrum of application security testing that covers the entire software development life cycle, you can find yourself in trouble because the great majority of applications still have vulnerabilities.

That’s the message from the 2022 “Software Vulnerability Snapshot,” report by the Black Duck Cybersecurity Research Center. The report, based on nearly 4,400 intrusive tests on more than 2,700 software components or systems, found that 95% of applications had at least one vulnerability or misconfiguration, and 25% of the vulnerabilities found were high or critical risk.

In this episode of AppSec Decoded—the second of two conversations on the report—Chai Bhat, security solutions manager with Black Duck, goes into depth on that and other major takeaways from the report, including

• So-called “low-risk” vulnerabilities can be high-risk, depending on your profile—your industry and the kinds of products you make.
• Third-party software, which makes up the large majority of the software supply chain, can, and often does, contain critical vulnerabilities. If you don’t know what you’re using, who made it, and how it’s being maintained (or not), you’re vulnerable to supply chain attacks.
• A software Bill of Materials is a crucial component of helping to track your software supply chain.