Micro Focus is now part of OpenText. Learn more >

You are here

You are here

30 app sec stats that matter

Jaikumar Vijayan Freelance writer

Vulnerable applications continue to be the top attack vector in externally caused security breaches at many enterprise organizations.

In a 2019 Forrester Research survey, 42% of organizations that had experienced an external attack blamed the incident on a software security flaw, and 35% said it had resulted from a buggy web application. Organizational efforts to tackle the problem using today's app sec tools are being complicated by the increasing use of open-source components in enterprise apps, accelerating software delivery times and a constantly expanding attack surface.

Here are 30 data points, including analyst, vendor, and research reports and white papers, that provide a snapshot of the current state of application security. 

Vulnerability stats

13,319: Number of vulnerabilities detected in 2019, in 1,607 apps

 The number, which covers apps from 249 vendors, represents a 22.3% decrease from 2018 and a 33.3% decrease from the 19,954 vulnerabilities detected in 2017.

Source: Annual Vulnerability Review 2020 Report, Flexera

19.8%: Reduction in vulnerabilities disclosed, from Q1 2019 to Q1 2020

Researchers from Risk Based Security aggregated a total of 4,968 vulnerabilities in Q1 2020. Out of that, 561 vulnerabilities had a public exploit but did not have any detail in the Common Vulnerabilities and Exposures (CVE) database. According to the report, "Analysis suggests that the count of vulnerabilities disclosed in Q1 2020 may rise to 6,126 as further information comes to light, but will still represent a decline."

Source: 2020 Q1 Report Vulnerability QuickView, Risk Based Security

60.5%: Percentage of vulnerabilities in 2019 that were remotely exploitable

The number of remotely exploitable flaws as a percentage of all flaws increased by 5.3% between 2018 and 2019. At the same time, flaws that could only be exploited on the local network decreased to 30.6% in 2019 from 33% in 2018.

Source: Annual Vulnerability Review 2020 Report, Flexera

42%: Percentage of vulnerabilities in Internet-facing applications that are SQL injection errors

Other common vulnerabilities include cross-site scripting errors (19%), PHP vulnerabilities (16%), remote code execution (7%), and sensitive file disclosure flaws (5%). As the Edgescan report says, "SQL Injection was first discovered in 1998 and still lives happily on the Internet with its cousins XSS and RCE."

Source: Edgescan 2020 Vulnerability Stats Report

61%: Percentage of tested apps that had at least one high- or critical-severity vulnerability not listed in the OWASP Top 10

The number represented a 12% increase over the 49% of tested applications with similar vulnerabilities in 2018.

Source: 2019 Application Security Risk Report, Micro Focus

3.2: Average number of critical application vulnerabilities per website in 2019

The number has remained static over the past three years, though organizations in some industries—such as the arts and entertainment sector and manufacturing—appear to be making some headway in terms of reducing web application vulnerabilities. According to report issuer WhiteHat Security, "IT is one of the worst offenders when it comes to the sheer volume of vulnerabilities. One possibility could be based on its lack of regulation as compared to well-regulated industries like finance or healthcare."

Source: 2019 Application Security Statistics Report, WhiteHat Security

83.9%: Percentage of software vulnerabilities that already had a patch available on the day it was publicly disclosed

Zero-day flaws—or bugs exploited prior to first disclosure—remain relatively rare. Only 20 out of 13,319 vulnerabilities disclosed in 2019 were zero-day flaws. According to Flexera's report, "This highlights the fact there is time to remediate most vulnerabilities before exploitation risk increases."

Source: Annual Vulnerability Review 2020 Report, Flexera

Web app security

20,000: Number of times the average web app was attacked, January and February 2020

A majority of the attackers targeted common vulnerabilities such as path traversal, SQL injection, and XSS vulnerabilities. Nearly all of the attacks (99%) did not reach a targeted vulnerability. Contrast Security noted: "While the large number of unsuccessful attacks might provide some comfort, they also result in excessive noise for security and development teams."

Source: Application Security Intelligence BiMonthly Report, Contrast Security

26%: Proportion of web app vulnerability-scanning targets from 5,000 websites, web apps, servers, and network devices with high-severity vulnerabilities

Some 63% of the websites had vulnerabilities that were classified as being of medium severity. Report author Acunetix warns: "While people might think that web applications in general are slowly getting more secure, the truth is less optimistic. Applications that are protected by web vulnerability scanning are the ones that are becoming more secure."

Source: Web Application Vulnerability Report 2020, Acunetix

36%: Percentage of web application scanning targets with a CSRF flaw

Though the number of sites with cross-site request forgery (CSRF) flaws in them remains high, this year's number is 51% smaller than 2019's. Other vulnerabilities present in a high percentage of websites include cross-site scripting errors (25%) and vulnerable JavaScript libraries (24%).

Source: Web Application Vulnerability Report 2020, Acunetix

17%: Reduction from 2018 to 2019 in the number of web apps containing critical high-risk vulnerabilities

The number of web applications containing severe vulnerabilities in 2019 dropped substantially as well. On average, each web application had 22 vulnerabilities, of which four were severe.

Source: Web Applications Vulnerabilities and Threats, Positive Technologies

11%: Percentage of web applications with 15 or more security vulnerabilities, January and February 2020

Generally, a handful of applications accounted for a large number of vulnerabilities skewing the overall averages as a result. For example, though applications overall had an average of 12 SQL injection errors in them, the vulnerabilities existed only in 9% of tested applications. Notes report author Contrast Security, "For applications that have a large number of vulnerabilities, the noise created by alerts can cause significant bottlenecks."

Source: Application Security Intelligence BiMonthly Report, Contrast Security

The open-source factor

33%: Percentage of application security vulnerabilities stemming from embeddable open-source and third-party components

Between 2018 and 2019 alone, there was a 50% increase in unpatched library vulnerabilities. Says WhiteHat Security: "As more open source and third-party software is embedded, it’s creating an inherently insecure environment for production apps."

Source: 2019 Application Security Statistics Report, WhiteHat Security

99%: Proportion of 1,253 commercial codebases analyzed in 2019 from across 17 industries with open-source code

Out of 1,253 commercial codebases analyzed, a full 100% contained open-source code in nine of the 17 industries looked at. Synopsys said in its report, "Open source components and libraries are the foundation of literally every application in every industry. The need to identify, track, and manage open source has increased exponentially with the growth of its use in commercial software."

Source: 2020 Open Source Security and Risk Analysis Report, Synopsys

75%: Percentage of commercial codebases with at least one security vulnerability

Nearly half (49%) of the analyzed codebases contained high-risk security vulnerabilities. Furthermore, 82% had open-source components in them that were more than four years out of date, and 88% of the components had no development activity in at least two years.

Source: 2020 Open Source Security and Risk Analysis Report, Synopsys

445: Average number of open-source components per commercial codebase analyzed

This number represents a 49% increase from the 298 open-source components per codebase in 2018. Notes Synopsys, "While the percentage of codebases containing open source is nearing 100%, there has also been a dramatic, ongoing increase over the same period of the percentage of codebases comprising open source."

Source: 2020 Open Source Security and Risk Analysis Report, Synopsys

The state of DevSecOps

50%: Average number of apps always vulnerable to exploitation at organizations that have not adopted DevSecOps

For organizations that have implemented a mature DevSecOps approach, the average number of apps that are always vulnerable to attack is 22%. According to WhiteHat Security, "In general, remediation rates have fallen, which is a huge concern. We can attribute this to an increased awareness and focus on application security, which naturally expands the scope of applications to be tested."

Source: 2019 Application Security Statistics Report, WhiteHat Security

89%: Percentage of IT respondents who said security and dev teams need to be in closer contact to create a true DevOps culture

What's more, 77% of the respondents to this 2019 survey of 1,310 IT decision makers said similar communication was necessary between developers, operations, and security; 34% said the siloed nature of these functions makes it harder to create a DevOps culture.

Source: Trend Micro 2019 Global DevOps Survey

58%: Percentage of respondents who said setting common goals can help drive cultural change within IT security, development, and operations teams

In the same survey of IT decision makers, 61% said it is important to foster greater integration between the different teams, and 50% said it is important to share learning experience across the different teams. Concluded Trend Micro in its report, “History of software development shows that the biggest and best process improvements never happen quickly due to the most valuable variable, people, who have existing behavioral patterns and cultural components."

Source: Trend Micro 2019 Global DevOps Survey

8%: Percentage of organizations that have secured at least 75% of their cloud-native apps using DevSecOps

Over the next two years, 68% of organizations plan to use DevSecOps practices to secure a majority of their cloud applications. Said report producer Enterprise Strategy Group, "This study reveals that while organizations have started, there is more work to be done when it comes to securing their cloud-native apps with the benefits DevSecOps offers."

Source: Security for DevOps - Enterprise Survey Report, Enterprise Strategy Group

Cloud-native apps

37%: Percentage of respondents who said API security is their top priority for cloud-native apps

One-third of respondents to a survey of 371 IT and security professionals said their organizations planned to spend more on securing APIs to protect against threats to their cloud app environment. According to Enterprise Strategy Group, "API security was the top area reported for current or projected incremental spend."

Source: Security for DevOps - Enterprise Survey Report, Enterprise Strategy Group

82%: Proportion of organizations with different teams assigned to secure cloud-native applications

About half of these organizations said they planned to merge these responsibilities with other teams in future; 32% plan on retaining a separate team for cloud application security.

Source: Security for DevOps - Enterprise Survey Report, Enterprise Strategy Group

Scanning for vulnerabilities

83%: Percentage of apps with at least one security flaw at initial vulnerability scan

From a sample of over 85,000 applications across some 2,300 companies globally, 70% of development organizations reduce the number of flaws in their code after the initial scan or do not introduce any new flaws. Said report issuer Veracode, "The research found that fixing vulnerabilities has become just as much a part of the development process as improving functionality, suggesting developers are shifting their mindset to view the security of their code as equal to other value metrics."

Source: 10th State of Software Security Report, Veracode

64%: Of bugs found on initial scans of application code, percentage related to information leakage

The two other most common flaws uncovered during an initial scan were cryptographic vulnerabilities (62%) and CRLF injection (61%).

Source: 10th State of Software Security Report, Veracode

68: Median number of days required to remediate apps that are scanned less than once per month

Meanwhile, the median time to remediate applications that are scanned daily is just 19 days. Said Veracode, "Frequent scanning does more than help find flaws; it helps companies significantly reduce risk."

Source: 10th State of Software Security Report, Veracode

Days to remediate

50.5: Average number of days it took for organizations to remediate critical vulnerabilities in Internet-facing apps

The average time to patch an Internet-facing system in 2019 was 71 days; for an internal system the average time to patch was 50 days. Report author Edgescan also said, "On average 67.8% of assets had at least one CVE with a CVSS score of 4.0 or more. From a PCI DSS standpoint, this would result in an average of 67.8% of assets failing PCI compliance."

Source: Edgescan 2020 Vulnerability Stats Report




13%: Percentage of security pros who hadn't patched their web application frameworks at all over the past 12 months

Nearly six in 10 (59%) of global firms use web application firewalls (WAFs) to protect against threats. But 38% said they didn't use a WAF because they don't process sensitive information via their web apps.

Source: 2019 Barracuda Networks Survey


32%: Percentage of security decision makers that implemented IAST in their dev environment in 2019

Some 35% implement dynamic application security testing (DAST) during the development phase. Over the next 12 months, more decision makers (39%) plan to implement interactive application security testing (IAST) in development compared to DAST (34%). Notes Forrester in this report, "The move from DAST to IAST helps teams embed security into their existing development processes."

Source: The State of Application Security 2020, Forrester Research

Container security

37%: Percentage of security pros that plan to implement container security during development

About 20% of security professionals plan to implement container security during software design. Cautions Forrester, "Security pros must continue to invest in container security at the early phases of the lifecycle to use trusted images and secrets management."

Source: The State of Application Security 2020, Forrester Research

Software composition analysis

37%: Percentage of organizations that plan to do SCA during development to reduce risk from vulnerable open-source components

However, 39% of firms surveyed still plan on doing software composition analysis (SCA) only during the testing phase, where remediation is much harder. Said Forrester about that: "As open source vulnerabilities continue to increase, teams will benefit from SCA implementations that help them prioritize vulnerabilities and remediate them in line with the development process."

Source: The State of Application Security 2020, Forrester Research

Why these numbers matter

Beyond the alarming nature of some of these numbers lies the practical takeaways. For DevOps, QA, and dedicated app sec teams, this is what will move the needle in the right direction. 

Keep learning

Read more articles about: SecurityApplication Security