You are here

32 application security stats that matter

public://pictures/Jaikumar-Vijayan-Freelance-Writer.png
Jaikumar Vijayan, Freelance writer

Application security is a moving target. Business requirements and the need for speed are pushing many development organizations to release software quickly, continuously, and at the expense of security. While a growing number of organizations have begun adopting automated testing and DevSecOps approaches to address some of these concerns, the state of application security still remains an area of major concern in most enterprises.

The following is a collection of 32 data points that provide a quick snapshot of application security today. We have gathered the statistics from a variety of analyst reports, vendor surveys, and research studies covering the most important trends and practices around application security.

Here's a look at application security by the numbers.

Gartner Magic Quadrant for Application Security Testing 2019

85.1: The average number of apps that can be easily discovered externally and improperly accessed

Access to websites belonging to 70% companies on the Financial Times (FT) 500 list can be found on the dark web, because the apps are not protected with strong authentication and other access-control measures.

Source: Abandoned Web Applications: Achilles' Heel of FT 500 Companies, High-Tech Bridge Security Research

92%: Percentage of web applications with security flaws or weaknesses that can be exploited

Some 16.2% of US companies have two or more external web applications that permit the entry of personally identifiable information (PII) via web forms and also run a vulnerable version of SSL/TLS and sometimes outdated and vulnerable versions of other web software.

Source: Abandoned Web Applications: Achilles' Heel of FT 500 Companies, High-Tech Bridge Security Research

[ Special Coverage: RSA Conference 2019 ]

[ Get Report: How to Get the Most From Your Application Security Testing Budget ]

66%: Proportion of IT execs whose organizations experienced application-layer DDoS attacks

More than half (56%) of 790 executives from this 2018 survey said they had to change their public-facing applications on a monthly basis to address security threats. The rest made even more frequent web app changes.

Source: 2018–2019 Global Application & Network Security Report, Radware

13: The average number of vulnerabilities on construction company websites found via DAST

Of the vulnerabilities found using dynamic application security testing, an average of five were serious. Finance, retail, and healthcare—among the most targeted sectors—had fewer serious vulnerabilities, with an average of 1.6, 2.7, and 1.7 on their websites, respectively. 

Source: 2018 Application Security Statistics Report, WhiteHat Security

86%: Percentage of tested applications with one or more session management vulnerabilities

Attackers were able to hijack or eavesdrop on a user session in a large number of cases because of input validation errors such as a failure to sanitize user input or not properly validating it. This was the second most common type of error, with 59% of tested applications having one or more of them.

Source: 2018 Trustwave Global Security Report

16%: Percentage of security vulnerabilities in tested applications that are medium, high, or critical risk

The most common high-risk vulnerabilities discovered during penetration testing are cross-site scripting errors, default credential use, and vertical privilege escalation flaws.

Source: 2018 Trustwave Global Security Report

19,954: Total number of detected vulnerabilities in 1,865 applications from 259 vendors in 2017

The number represented a 14% increase over the 17,147 discovered flaws in 2016, and a 38% jump compared to five years ago.

Source: Vulnerability Review 2018, Flexera Software

14: Total number of zero-day vulnerabilities reported in 2017

The number of zero-day flaws, vulnerabilities exploited prior to disclosure, represented a nearly 40% decrease from the 23 zero-day vulnerabilities in 2016. Zero-day exploits can cause significant damage, but the numbers show that they remain a rare threat.

Source: Vulnerability Review 2018, Flexera Software

86%: Percentage of vulnerabilities that had a patch available within 24 hours of disclosure

The speed of patch availability gave organizations more of an opportunity to remediate serious and high-impact application vulnerabilities before they were exploited in 2017. The shift marked a five-point increase over 2016.

Source: Vulnerability Review 2018, Flexera Software

38: The average number of days it took to patch a web application vulnerability regardless of severity

Typically, businesses took 54 days to patch low-severity vulnerabilities and 34 days to patch high-severity vulnerabilities in Q2 2018, and an average of 38 days to patch a web application vulnerability regardless of severity.

Source: Security Report for In-Production Web Applications, tCell

70%: The proportion of code in apps composed of open-source software, third-party libraries, etc.

The number of serious vulnerabilities in open-source software, third-party libraries, and other reusable components continues to increase at a rate that makes remediation nearly impossible for teams that don't adopt measures for tracking third-party component use.

Source: 2018 Application Security Statistics Report, WhiteHat Security

45%: The percentage of vulnerabilities discovered during DAST that result in information leaks

Nearly half of vulnerabilities discovered during dynamic application security tests result in data breaches. The other three most likely DAST vulnerabilities are content spoofing (40%), cross-site scripting (38%), and insufficient transport layer protection (23%).

Source: 2018 Application Security Statistics Report, WhiteHat Security

44%: Percentage of respondents whose organizations find flaws primarily with Nessus

Of 437 respondents in this survey, almost half said their organizations find application vulnerabilities primarily with Nessus. The figure was 20 points higher than any other vulnerability assessment product or tool.

Source: 2018 Application Security Report, Cybersecurity Insiders

70%: Percentage of organizations that primarily do pen tests to test effectiveness of security controls

While seven in 10 say the primary reason for doing penetration tests is to validate the effectiveness of their security controls, six in 10 use pen tests to identify weaknesses that could potentially be exploited by an attacker. About half do it to meet regulatory or compliance requirements.

Source: The Cybersecurity and Penetration Testing Survey 2018, conducted by Decision Analyst and commissioned by SecureAuth + Core Security

84%: The percentage of organizations using red and blue team security testing

More than eight in 10 organizations that do pen testing use red and blue team security testing because they think the methods are effective. Midsize and large companies tend to do penetration testing more often than smaller firms.

Source: The Cybersecurity and Penetration Testing Survey 2018, conducted by Decision Analyst and commissioned by SecureAuth + Core Security

16%: The proportion of IT decision makers whose organizations don't conduct any penetration tests

About one in six respondents in a survey of 202 IT decision makers said the organizations they represent don't conduct any penetration tests or were unaware if they did. Six percent did it less than once a year, and 75% said their organizations conducted pen tests several times a year.

Source: The Cybersecurity and Penetration Testing Survey 2018, conducted by Decision Analyst and commissioned by SecureAuth + Core Security

31%: The percentage of organizations that experienced a breach because of open source

Nearly a third of respondents in a survey of 2,076 IT professionals said their organizations had experienced a breach related to vulnerable open-source components in their software. The number represented a 55% increase over 2017.

Source: 2018 DevSecOps Community Survey, SonaType

38%: The proportion of companies with a complete bill of materials for all components in their software

Less than four in 10 organizations have a complete bill of materials for all the components in their software products. Nearly two-thirds (62%) do not have any control over what components are used in their applications.

Source: 2018 DevSecOps Community Survey, SonaType

48%: The percentage of developers who lack time to spend on security issues they believe are important

Nearly one-half of developers say they don't have enough time to spend on security, even though they are aware of its importance.

Source: 2018 DevSecOps Community Survey, SonaType

37%: Percentage of organizations practicing DevOps who say static application analysis tools are critical 

While nearly four in 10 of companies with mature DevOps practices say static analysis tools are critical, only 12% of organizations with no DevOps practices say the same thing. About one third (33%) of organizations with mature DevOps use dynamic analysis tools, compared to just 8% of organizations that have not adopted DevOps.

Source: 2018 DevSecOps Community Survey, SonaType

21%: The proportion of vulnerabilities discovered via SAST that are related to unpatched libraries

While nearly a quarter of flaws discovered via static application security tests are related to unpatched libraries, other common vulnerability classes discovered during SAST include application misconfiguration (10.5%), cross-site scripting (8.3%), and clear-text passwords (6.5%).

Source: 2018 Application Security Statistics Report, WhiteHat Security

28%: The percentage of CIOs and CTOs who own the application security risk management processes

While more than a quarter of these C-level execs have responsibility for app sec risk, chief information security officers (CISOs) own the responsibility in just 10% of organizations—even though they are often the first to get blamed in the event of a security breach.

Source: 2018 Application Protection Report, F5 Labs

13%: The proportion of web application breaches caused by access issues and attacks

Just over one in 10 issues were caused by access-related issues in 2017 and the first quarter of 2018. Examples of such issues include access control misconfigurations, brute-force password cracking, and credential stuffing from stolen passwords.

Source: 2018 Application Protection Report, F5 Labs

52%: The percentage of developers using third-party components who update when flaws are disclosed

About half of all developers that use third-party components in their applications update the components when new security vulnerabilities are disclosed. Nearly half of them do not update known vulnerable components, exposing apps to unnecessary risk.

Source: Vanson Bourne DevSecOps Survey Report, commissioned by Veracode

71%: The proportion of developers who said their companies have a formal app sec program in place

In this 2018 survey of 400 developers, 25% said their organizations did not have an app sec program in place, and 4% said they didn't know whether their organization had one or not.

Source: Vanson Bourne DevSecOps Survey Report, commissioned by Veracode

19%: The percentage of developers unfamiliar with the OWASP Top 10

Nearly one in five developers said they are not at all familiar with the Top 10 OWASP application security risks. Almost a quarter (22%) of software designers are not at all familiar, compared to 20% of team leaders and 10% of team managers.

Source: Vanson Bourne DevSecOps Survey Report, commissioned by Veracode

90%: The percentage of apps with at least one flaw not covered by the OWASP Top 10

Nine in 10 applications had at least one security flaw that was not addressed by the OWASP Top 10. Almost half (49%) of tested applications have one or more critical or high-severity security vulnerabilities not covered by the OWASP Top 10.

Source: 2018 Application Security Research Update, Micro Focus Fortify Software Security Research Team

$7 billion: The estimated size of the application security market by 2023 

Enterprise spending on security scanning tools will more than double between now and then and fuel a lot of the growth.

Source: Forrester Research

25%: The percentage of IT and security teams that say their organization's app sec spending is adequate

A quarter of organizations in a survey of 1,400 IT and security practitioners said their organizations were spending adequately on application security. Nearly half (48%) of business managers perceive application performance and speed to be more important than security.

Source: 2018 Global Study on Application Security, Arxan Technologies

65%: The proportion of companies that would increase app sec spend if customers were affected

More than six in 10 companies would increase application security spending only if a customer or end user was negatively affected in a breach. This, despite the fact that nearly three-quarters of organizations likely, most likely, or definitely experienced an application-related cyberattack or breach in the preceding 12 months.

Source: 2018 Global Study On Application Security, Arxan Technologies

45%: The percentage of companies that faced attacks on known, but unpatched cloud app flaws

Almost half of organizations running cloud applications have experienced one or more attacks on known, but unpatched vulnerabilities, or previously unknown vulnerabilities and known, unpatched OS vulnerabilities.

Source: Oracle and KPMG Cloud Threat Report 2018

30%: The proportion of companies with cloud apps who say identifying vulnerabilities is a priority

Nearly one third of businesses with applications in the cloud say identifying application software vulnerabilities is one of their most critical security tasks. Other areas where organizations want to improve visibility into cloud-hosted workloads include identifying noncompliant workload configurations, anomalous workload activity, and anomalous privileged user activity.

Source: Oracle and KPMG Cloud Threat Report 2018

Which app sec stats keep you and your team up at night? Share your thoughts in the comments section below and interact with your peers.

[ Webinar: How to Fit Security Into Your Software Lifecycle With Automation and Integration ]