《Black Duck：2024年軟件漏洞洞察報告：基于20萬次web應用安全掃描數據（英文版）（20頁）.pdf》由會員分享，可在線閱讀，更多相關《Black Duck：2024年軟件漏洞洞察報告：基于20萬次web應用安全掃描數據（英文版）（20頁）.pdf（20頁珍藏版）》請在三個皮匠報告上搜索。

1、2024 Software Vulnerability Snapshot Insights into Critical Vulnerabilities from over 200,000 Application Security Scans by Black Duck BlackD|2Table of contentsExecutive Summary.1About Black Duck .1Key Findings.1Potential Business Impact Suggested by the Data.3Recommendations.4Industry Sectors Repre

2、sented in This Report.5Fundamentals of Dynamic Application Security Testing.6Key Characteristics of DAST.6DAST in the Modern Security Landscape.6DAST and Other Testing Methodologies.6DAST in Preproduction and Production.7Vulnerability Landscape Analysis.8Top 10 Vulnerability Classes Identified.8Crit

3、ical-Risk and Urgent Vulnerabilities.10OWASP Top 10 Category Analysis.11Industry-Specific Vulnerability Trends.12The Interplay of DAST,SAST,and SCA.15Comparative Strengths in Detecting Specific Vulnerabilities.15Synergies Between Testing Methodologies.16Conclusion.17BlackD|1Executive SummaryThis rep

4、ort analyzes data from over 200,000 dynamic application security testing(DAST)scans conducted by Black Duck on approximately 1,300 applications across 19 industry sectors from June 2023 to June 2024.The findings provide insights into the current state of security for web-based applications and syste

5、ms,and the potential impact of security vulnerabilities on business operations in high-risk sectors such as Finance,Insurance,and Healthcare.The report also examines how DAST offers a crucial complement to other security testing methods,such as static application security testing(SAST)and software c

6、omposition analysis(SCA),and provides a unique perspective on application security by mimicking real-world attack scenarios.Key FindingsThe Vulnerability LandscapeA total 96,917 vulnerabilities were identified in scans conducted 202324.These are the top critical-risk vulnerabilities identified.Crypt

7、ographic Failures(Sensitive Data Exposure)These are weaknesses in how an application secures sensitive information.This category includes issues like not encrypting important data when its being sent over the internet,using outdated or weak encryption methods,and failing to properly protect password

8、s or other secret information.These failures can lead to data breaches,where attackers can steal or tamper with sensitive information such as personal details,financial data,or login credentials.This category of weakness was found to be widespread in our DAST analysis,affecting 86%of clients and acc

9、ounting for 30,726 vulnerabilities,including 4,882 critical-risk instances.This makes it one of the most common and serious security issues across industries.To address these vulnerabilities,organizations need to implement strong encryption practices,use up-to-date security protocols,and ensure that

10、 sensitive data is properly protected both when its being transmitted and when its stored.Injection Vulnerabilities This is a type of security vulnerability that allows an attacker to insert malicious code or commands into an application,tricking it into executing unintended actions or accessing dat

11、a without proper authorization.The analysis found 4,814 Injection vulnerabilities,with a high prevalence of 59%per client.This category had the second-highest number of critical vulnerabilities(2,491),indicating its potential for causing severe security breaches.Injection vulnerabilities often occur

12、 when user input is not properly validated or sanitized before being used in database queries,operating system commands,or web page content.Common Injection attacks include SQL Injection,Command Injection,and Cross-Site Scripting(XSS),with successful attacks leading to data theft,unauthorized data m

13、anipulation,or even full system compromise.To prevent Injection vulnerabilities,organizations need to implement proper input validation,use parameterized queries,and follow secure coding practices.While both SAST and DAST can detect Injection vulnerabilities,DAST is particularly effective at identif

14、ying complex,runtime-dependent issues.Regular security testing,especially using DAST,can help identify and address these vulnerabilities.About Black Duck Formerly the Synopsys Software Integrity Group,Black Duck offers the most comprehensive,powerful,and trusted portfolio of AppSec solutions in the

15、industry.We have an unmatched track record of helping organizations secure their software quickly,integrate security efficiently in their development environments,and safely innovate with new technologies.BlackD|2Industry-Specific InsightsHigh-risk sectors included Finance and Insurance(1,299 critic

16、al vulnerabilities),Healthcare and Social Assistance(992 critical vulnerabilities),and Information Services(446 critical vulnerabilities).The Finance and Insurance industry(FSI)had the highest number of critical vulnerabilities across all site complexities,with 565 critical vulnerabilities identifie

17、d for small FSI sites,580 for medium sites,and 154 for large sites.The next-highest industry was Healthcare and Social Assistance,with 367,486,and 139 critical vulnerabilities for small,medium,and large sites respectively.The data indicates that small and medium-sized sites tend to have more critica

18、l vulnerabilities than larger sites,particularly in the FSI sector.Time-to-Close AnalysisThe data shows significant variations across industries when it came to vulnerability time-to-close.For critical vulnerabilities,the Utilities industry had the longest time-to-close across all sites.The extended

19、 time-to-close for small(107 days)and medium(876 days)sites versus larger(1 day)in the Utilities sector may be due to limited cybersecurity resources and budget constraints.Utilities often operate with legacy systems that are difficult to patch and update.Large sites might have dedicated security te

20、ams and more robust processes,allowing them to address vulnerabilities more quickly.The next-longest time-to-close was the Educational Services sector with closure times as 342 days for small sites,111 days for medium sites,and 1 day for large sites.Small educational institutions often face budget l

21、imitations and may lack dedicated cybersecurity personnel,leading to longer times to address vulnerabilities.Large educational institutions such as major universities,however,are likely to have better-funded IT departments and more resources to quickly mitigate critical vulnerabilities.Conversely,Fi

22、nance and Insurance closed critical vulnerabilities for small sites in just 28 days,medium sites in 53 days,and large sites in 78 days.This sector is heavily regulated and deals with highly sensitive data,necessitating a rapid response to vulnerabilities.These organizations typically have substantia

23、l cybersecurity budgets and dedicated teams to ensure compliance with regulations like Payment Card Industry Data Security Standard(PCI DSS)and to protect financial data.Organizations in the Healthcare and Social Assistance sector took an average of 87 days to close critical vulnerabilities for smal

24、l sites,30 days for medium sites,and 20 days for large sites.The Healthcare sector is also highly regulated(e.g.,the Health Insurance Portability and Accountability Act HIPAA)and handles sensitive patient data,which drives the need for prompt vulnerability remediation.Larger Healthcare organizations

25、 often have more resources and dedicated security teams,enabling faster closure times.The variations in time-to-close metrics across different sectors highlight the impact of resource allocation and the challenges legacy systems can have on security initiatives.Sectors with significant regulatory pr

26、essures and sensitive data tend to act swiftly to mitigate vulnerabilities,reflecting their proactive stance.On the other hand,sectors with limited resources and budget constraints face longer exposure times,underscoring the need for tailored cybersecurity strategies and increased investment in unde

27、r-resourced industries.Black Duck analysts use a proprietary metric to rank the relative“site complexity”of applications assessed by Black Duck Continuous Dynamic scanning.This metric is based on the number and sophistication of interactions performed during the scanning process.Applications with le

28、ss complexity may have minimal interactivity and a simple crawl treethat is,an application with a straightforward structure of URLs.Higher-complexity applications may have many interactive elements and dynamically generated content.This metric allows our specialists to customize scan behaviors,adjus

29、ting the depth and aggression of scans based on the complexity of the application.The complexity metric can also be weighted across industries for comparison and baselining.BlackD|3These are some of the risks of these vulnerabilities.Data Breaches:Sensitive Data Exposure and Injection vulnerabilitie

30、s pose significant threats to sensitive data across all industries,potentially leading to data leaks,fines,financial losses,and reputational damage.Sensitive data at risk includes personally identifiable information such as Social Security numbers,banking information,login credentials,credit card nu

31、mbers,medical records,and trade secrets.Regulatory Noncompliance:High-risk sectors face increased exposure to noncompliance with data protection regulations,risking severe penalties.For example,the Cyber Incident Reporting for Critical Infrastructure Act of 2022(CIRCIA)applies to critical infrastruc

32、ture sectors(including FSI,Healthcare,and Waste Management among others)and requires covered entities to report covered cyber incidents and ransomware payments to CISA.PCI DSS applies to all organizations that handle credit card information and mandates security standards for protecting cardholder d

33、ata.HIPAA requires protection of patient health information and mandates reporting of data breaches.For organizations handling the data of EU citizens,the General Data Protection Regulation(GDPR)requires strict data protection measures and breach reporting.Operational Disruptions:Widespread security

34、 misconfigurations and Denial-of-Service vulnerabilities across industry sectors threaten business continuity and service availability.Operational disruptions caused by vulnerabilities and misconfigurations can have significant consequences across sectors.In the Healthcare sector for example,some of

35、 the potential critical disruptions include Disruption of Life-Saving Equipment:A cyberattack that targets a hospitals network could lead to the shutdown of critical medical devices such as ventilators,infusion pumps,and heart monitors.Patients relying on these devices for life support could face im

36、mediate life-threatening situations.For example,if ventilators are turned off,patients who cannot breathe independently may suffer severe health consequences or even death.Compromise of Electronic Health Records:A ransomware attack that encrypts patient records would make them inaccessible to health

37、care providers.The inability to access patient histories,medication records,and treatment plans could lead to delays in care,incorrect treatments,and medication errors.This can severely impact patient outcomes,particularly in emergency situations where timely access to accurate information is critic

38、al.Medication Errors Due to Pharmacy System Interruptions:An exploited vulnerability in a pharmacy system could cause the system to go offline.Interruptions in the pharmacy system can lead to delays in dispensing medications,incorrect dosages,or missed treatments.This can be particularly dangerous f

39、or patients with critical conditions requiring precise medication management.Extended Vulnerability Exposure:Long closure times in sectors like Utilities and Educational Services increase the risk of exploitation and potential business impact.For example,a vulnerability in the power grid control sys

40、tem that remains unpatched could lead to prolonged power outages affecting millions of households and businesses.In extreme cases,it could result in cascading failures across interconnected power systems,potentially causing blackouts across entire regions.A vulnerability in a water treatment plants

41、control system going unaddressed could potentially alter chemical treatment processes,leading to water contamination.This could result in widespread illness,the need for extensive system flushing,and a loss of public trust in water safety.In the Educational Services sector,an unaddressed vulnerabili

42、ty in a student information system could lead to the exposure of sensitive student data,including personal information,academic records,and financial details.Such a breach could result in identity theft,academic fraud,and violation of privacy laws like FERPA,leading to legal consequences and loss of

43、 trust in the institution.Potential Business Impact Suggested by the DataBlackD|4RecommendationsBased on the findings data from the over 200,000 scans conducted by Black Duck,organizations should prioritize addressing Sensitive Data Exposure(called Cryptographic Failures in the OWASP 2021 taxonomy)a

44、nd Injection vulnerabilities,including SQL Injection and Cross-Site Scripting,especially in high-risk sectors.Organizations in all sectors should focus on reducing time-to-close for critical vulnerabilities,particularly in sectors that permit long remediation times.Security misconfigurations across

45、all industries should be addressed to minimize potential information disclosure and reputational damage.Overall,development and security teams should implement a multifaceted security approach integrating DAST,SAST,and SCA to achieve the most comprehensive coverage throughout the software developmen

46、t life cycle.The findings indicate that if such a full spectrum approach to application security testing were applied,potential exposure to critical vulnerabilities would be markedly reduced.BlackD|5Industry Sectors Represented in This ReportAgriculture,Forestry,Fishing and HuntingConstructionWholes

47、ale TradeReal Estate Rental and LeasingManagement of Companies&EnterprisesManufacturingAdministrative Support&Waste ManagementAccommodation and Food ServicesArts,Entertainment,and RecreationEducational ServicesFinance and InsuranceHealthcare and Social AssistanceInformation ServicesOther ServicesPro

48、fessional,Scientific,and Technical ServicesPublic AdministrationRetail TradeTransportation and WarehousingUtilitiesOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHea

49、lth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail Trade

50、Management of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinan

51、ce and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic Administr

52、ationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and

53、 LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,E

54、ntertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management

55、 and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and

56、WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food Service

57、sWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical Servic

58、esInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and Huntin

59、gConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social Assistance

60、Educational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and En

61、terprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingR

62、eal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Pub

63、lic Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Sup

64、port and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUti

65、litiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccom

66、modation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scient

67、ific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Fo

68、restry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth C

69、are and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManag

70、ement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance an

71、d InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic Administration

72、Other Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and Leas

73、ingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entert

74、ainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and

75、Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and Wareh

76、ousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWhol

77、esale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInf

78、ormation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingCons

79、tructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEduca

80、tional ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and Enterpr

81、isesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal E

82、state and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationMining/Quarrying,Oil/Gas Extra

83、ctionMining/Quarrying,Oil/Gas ExtractionBlackD|6DAST is a critical component in the application security landscape,particularly as organizations grapple with increasingly complex and vulnerable web applications.This section provides a comprehensive overview of DAST,its significance,and its role in a

84、 robust application security strategy.Key Characteristics of DASTDAST is a black-box security testing methodology that analyzes applications in their running state,without any privileged access to that applications design,architecture,or internals.Unlike SAST,which examines source code,DAST simulate

85、s real-world attacks on a live application,identifying vulnerabilities that may manifest only during runtime or in interactions between multiple subsystems.This approach allows DAST to detect issues such as authentication problems,server configuration errors,and Cross-Site Scripting vulnerabilities

86、that might be missed by other testing methods.DAST in the Modern Security LandscapeThe relevance of DAST has grown significantly due to several factors.The increasing complexity of web applications:With the rise of the microservices architecture,API-driven development,and cloud-native applications,a

87、ttack surfaces have expanded considerably.Evolving cyberthreats:As attackers become more sophisticated,DASTs ability to simulate real-world attacks becomes invaluable.Regulatory compliance:Regulatory frameworks like GDPR and PCI DSS require robust,continuous security testing,making DAST an essential

88、 tool for compliance.DevSecOps integration:DASTs ability to be integrated within continuous integration/continuous deployment(CI/CD)pipelines aligns with modern DevSecOps practices.Cost implications:Early detection of vulnerabilities can significantly reduce the cost of fixing security issues after

89、deployment.DAST and Other Testing MethodologiesWhile DAST is powerful,its most effective when used in conjunction with other security testing methods.For example,SASTs strengths include early detection of coding flaws,but it may miss runtime vulnerabilities or unintended interactions between compone

90、nts,which can be found by DAST.Likewise,SCA identifies vulnerabilities in third-party components;DAST can verify if these vulnerabilities are exploitable in a running application.By implementing DAST in conjunction with other testing methodologies,organizations can significantly enhance their securi

91、ty posture in a complex online application landscape.Fundamentals of Dynamic Application Security TestingThe key characteristics of DAST include External perspective testing,mimicking an attackers view Visibility into trending behaviors Runtime analysis of applications Continuous testing Ability to

92、test without access to source codeBlackD|7DAST in Preproduction and ProductionDAST solutions can be integrated into CI/CD pipelines to identify vulnerabilities early,accelerating remediation and reducing the cost of fixes.This approach is particularly valuable for detecting issues that may manifest

93、only in a running application,such as certain types of Injection vulnerabilities or unexpected interactions between services and components.DAST solutions used in production offer additional benefits,especially for organizations dealing with complex,dynamic applications or those in highly regulated

94、industries.This can also provide continuous monitoring,detecting vulnerabilities that may arise due to configuration changes,newly discovered exploits,or changes in the applications runtime environment.Its particularly valuable for identifying issues with third-party components that may become vulne

95、rable over time,and for verifying the effectiveness of patches.A combination of preproduction and production DAST testing may provide the most comprehensive security coverage for some organizations.The ideal scenario in these cases is implementing extensive preproduction DAST testing,and using produ

96、ction testing as a supplementary measure rather than the primary security strategy.The combination offers benefits including Risk mitigation:Preproduction testing eliminates the risk of unplanned downtime or data corruption in live environments.Cost-effectiveness:Fixing vulnerabilities earlier in th

97、e development cycle is typically much less expensive than addressing them in production.Developer-friendliness:Integration with IDEs and CI/CD pipelines makes security testing a natural part of the development process.Compliance:Many regulatory standards prefer or require testing before production d

98、eployment.Comprehensive testing:Preproduction environments enable more thorough and aggressive testing without fear of impacting users or data.DAST testing in production can also be beneficial in several scenarios.Continuous security validation:It can act as an additional layer of security to catch

99、any issues that might have slipped through preproduction testing.Detection of emerging threats:DAST can automatically detect emerging threats.Cloud-native applications:It is useful in production environments that may have unique configurations that are difficult to replicate in testing.Legacy system

100、s:Production DAST may be more effective dealing with older applications that lack comprehensive preproduction environments.The strategic implementation of DAST in both preproduction and production environments offers a balanced approach,allowing for thorough testing without compromising system integ

101、rity or user experience.This multifaceted strategy not only enhances vulnerability detection across various stages of the application life cycle but also addresses the unique challenges posed by diverse application architectures,from legacy systems to cloud-native applications.Ultimately,this approa

102、ch enables organizations to build a more resilient security posture capable of adapting to the evolving threat landscape.BlackD|8Vulnerability Landscape AnalysisThe analysis of over 200,000 DAST scans across approximately 1,300 applications reveals a concerning vulnerability landscape.This section d

103、elves into the most prevalent and critical vulnerabilities,their distribution across industries,and their potential impact on business operations.Vulnerability ClassDescriptionVulnerabilities IdentifiedInsufficient Transport Layer ProtectionFailure to properly encrypt data in transit,allowing interc

104、eption and tampering.30,712Missing Secure HeadersAbsence of important HTTP security headers that help protect against various web-based attacks.Examples include X-XSS-Protection,X-Frame-Options,and Content-Security-Policy.22,321Information LeakageUnintentional exposure of sensitive information throu

105、gh error messages,comments,or other application responses that can be leveraged by attackers to gain insights into the systems architecture or vulnerabilities.8,097Predictable Resource LocationResources or files being stored in locations that can be easily guessed or predicted by attackers,potential

106、ly allowing unauthorized access to sensitive information or functionality.5,468Frameable ResourceA vulnerability in which a web page can be embedded in an iframe on another site,potentially leading to clickjacking attacks.This occurs when the X-Frame-Options header is missing or improperly configure

107、d.4,481Vulnerable LibraryThe use of third-party libraries or components with known security vulnerabilities,which can introduce weaknesses into the application that uses them.4,215FingerprintingAttackers gaining information about the technology stack,versions,or configurations of a system,which can

108、be used to identify potential vulnerabilities or plan more-targeted attacks.3,700Cross-Site ScriptingA vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users,potentially leading to theft of sensitive information or session hijacking.2,415Insufficient Aut

109、horizationInadequate access controls that allow users to perform actions or access resources beyond their intended privileges,often due to improper implementation of authorization checks.2,396Susceptibility to Brute ForceAn attack method in which attackers systematically attempt many passwords or pa

110、ssphrases with the hope of eventually guessing correctly,often exploiting weak password policies or lack of account lockout mechanisms.2,23510Top 10 Vulnerability Classes Identified987654321Figure 1.Vulnerability frequencyBlackD|9Our analysis identified a total of 96,917 vulnerabilities.Figure 1 sho

111、ws the vulnerabilities identified most frequently,and Figure 2 lists the percentage of clients with each vulnerability.Insufficient Transport Layer Protection,the most prevalent issue,exposes organizations to data interception and tampering,potentially leading to data breaches and compliance violati

112、ons.Missing Secure Headers,the second-most-common vulnerability,leaves applications susceptible to various web-based attacks,undermining overall security posture.Information Leakage and Predictable Resource Location represent significant vulnerabilities that often provide attackers with an easy entr

113、y point into systems.Information Leakage,ranked third with 8,097 identified vulnerabilities,involves the unintentional exposure of sensitive information through error messages,comments,or application responses.This can provide attackers with valuable insights into system architecture or vulnerabilit

114、ies.Predictable Resource Location,fourth with 5,468 vulnerabilities,occurs when resources or files are stored in easily guessable locations,potentially allowing unauthorized access to sensitive information or functionality.Both these vulnerability classes highlight a common issue:the inadvertent dis

115、closure of information that can be leveraged by attackers.These vulnerabilities are particularly concerning because they often result from oversight or inadequate security practices rather than complex technical issues,making them both common,and,at least theoretically,more straightforward to addres

116、s with proper security awareness and protocols.Figure 2.Percentage of clients experiencing one or more of a given vulnerability classVulnerability ClassPercentage of Clients with VulnerabilityMissing Secure Headers97%Insufficient Transport Layer Protection87%Information Leakage66%Frameable Resource6

117、0%Vulnerable Library57%Insufficient Authorization50%Fingerprinting46%Cross-Site Scripting41%Improper Input Handling40%Predictable Resource Location35%BlackD|10Figure 3.Critical-risk and urgent vulnerabilities Vulnerability ClassCritical-Risk VulnerabilitiesUrgent Need of AttentionInsufficient Transp

118、ort Layer Protection4,8822Cross-Site Scripting2,2561Information Leakage510-Cross-Site Request Forgery434-Abuse of Functionality24836HTTP Response Splitting203-Content Spoofing76-Path Traversal73-Insufficient Password Policy Implementation67-Insufficient Process Validation61-Critical-Risk and Urgent

119、VulnerabilitiesAmong the identified vulnerabilities,several stand out as critical-risk or requiring urgent attention.These include Insufficient Transport Layer Protection:(4,882 critical instances),Cross-Site Scripting(2,256 critical instances),and Information Leakage(510 critical instances).The hig

120、h number of critical Insufficient Transport Layer Protection vulnerabilities is particularly alarming,as it indicates widespread exposure to potential data breaches.Cross-Site Scripting vulnerabilities,while fewer in number,pose a significant threat due to their potential for session hijacking and d

121、ata theft.Abuse of Functionality is notable for its high number of critical vulnerabilities in urgent need of attention.Abuse of Functionality vulnerabilities often involve misuse of legitimate features of an application.This means they can be exploited immediately without requiring complex ways to

122、bypass security measures.These vulnerabilities can affect core functionalities of an application,potentially impacting a wide range of users or critical business processes.They can sometimes lead to privilege escalation or access to sensitive data,making them critical to address quickly.BlackD|11Fig

123、ure 4.Alignment with OWASP Top 10 categories and contributing CWEsOWASP CategoryVulnerabilities IdentifiedContributing CWEsA01:2021 Broken Access Control9,954CWE-35,CWE-548,CWE-287,CWE-352,CWE-425,CWE-601,CWE-424A02:2021 Cryptographic Failures30,726CWE-319,CWE-330,CWE-311A03:2021 Injection4,814CWE-9

124、43,CWE-91,CWE-20,CWE-643,CWE-113,CWE-77,CWE-89,CWE-610,CWE-652,CWE-94,CWE-79,CWE-78,CWE-97,CWE-90A04:2021 Insecure Design7,581CWE-799,CWE-840,CWE-525,CWE-1021A05:2021 Security Misconfiguration36,321CWE-497,CWE-550,CWE-209,CWE-611,CWE-525,CWE-200,CWE-703,CWE-202,CWE-693,CWE-16,CWE-1004,CWE-614,CWE-54

125、4A06:2021 Vulnerable and Outdated Components4,215CWE-1104A07:2021 Identification and Authentication Failures1,057CWE-521,CWE-640,CWE-613,CWE-285,CWE-384A08:2021 Software and Data Integrity Failures1,929CWE-345,CWE-451,CWE-148,CWE-829A10:2021 Server-Side Request Forgery1CWE-918A11:2021 Denial-of-Serv

126、ice319CWE-400OWASP Top 10 Category AnalysisAligning our findings with OWASP Top 10 categories provides several insights.A02:2021 Cryptographic Failures/Sensitive Data Exposure:30,726 vulnerabilities,including 4,882 critical-risk instances.This category had the second-highest prevalence per client(86

127、%),indicating widespread issues with adequately protecting sensitive data.Contributing CWEs for this category include CWE-319:This CWE refers to an application transmitting sensitive information in cleartext,which can be intercepted and read by an attacker.CWE-330:This CWE refers to an application u

128、sing predictable values in a context that requires unpredictability,such as random passwords or cryptographic keys.CWE-311:This CWE refers to an application failing to encrypt sensitive data before storage or transmission,leaving it vulnerable to interception or unauthorized access.A03:2021 Injectio

129、n:4,814 vulnerabilities,with 2,491 critical instances and a high prevalence per client(59%).This underscores the persistent threat of Injection attacks across various applications.Contributing CWEs include CWE-943,CWE-91,CWE-20,CWE-643,CWE-113,CWE-77,CWE-89,CWE-610,CWE-652,CWE-94,CWE-79,CWE-78,CWE-9

130、7,and CWE-90.Many of these CWEs are related to attacks in which code,commands,or data is injected into an application,potentially causing the application to execute unintended commands or access data without proper authorization.Injection attacks,such as SQL and Command Injections,rank high in the C

131、WE list of most dangerous vulnerabilities.These CWEs include CWE-91,CWE-77,CWE-89,CWE-94,CWE-79,CWE-78,CWE-97,and CWE-90.BlackD|12Other CWEs contributing to the Injection category include CWE-610,CWE-652,CWE-643,and CWE-943,all related to improper neutralization of data or special elements,which can

132、 lead to unintended behavior.A05:2021 Security Misconfiguration:36,321 vulnerabilities identified,with the highest prevalence per client(98%).The bulk(84%)of the identified security misconfiguration vulns were termed“informational”vulnerabilities by Black Duck experts.That is,the configuration has p

133、otential to disclose sensitive information but does not pose a specific security risk to the environment,host,or application.However,this information can include such details as installed software,open ports,and general information about a system and how it operates,possibly opening a doorway to exp

134、loit.At a minimum,organizations should be aware of the existence of these proto vulnerabilities to make an informed decision on whether configuration changes should be made to strengthen security.Industry-Specific Vulnerability TrendsThe vulnerability landscape varies significantly across industries

135、:Finance and Insurance had the highest number of critical vulnerabilities(1,299),indicating substantial risk in this highly regulated sector.Healthcare and Social Assistance was the second-highest with 992 critical vulnerabilities,raising concerns about patient data protection and regulatory complia

136、nce.Information Services had a total of 446 critical vulnerabilities,highlighting the need for robust security in data-centric industries.Notably,small and medium-complexity sites tended to have more critical vulnerabilities than larger sites,particularly in the Finance and Insurance sector.This tre

137、nd suggests that organizations may be underestimating the security needs of smaller sites or less complex applications.The implications of these findings are significant.For the Finance and Insurance sector,the high number of critical vulnerabilities could lead to financial losses,regulatory penalti

138、es,and reputational damage.In Healthcare,vulnerabilities could compromise patient data,violating HIPAA and other regulations.Information Services companies face risks of data breaches that could undermine client trust and business operations.The prevalence of basic security issues like Insufficient

139、Transport Layer Protection across industries indicates a need for fundamental improvements in security practices.Organizations should prioritize addressing these vulnerabilities to protect sensitive data,maintain regulatory compliance,and safeguard their operations and reputation.Figure 5 shows that

140、 small sites often had the highest number of critical vulnerabilities and vary widely in closure times.Medium-sized sites frequently had moderate to high vulnerability counts with variable closure times.Large sites generally had fewer critical vulnerabilities and often close them faster.BlackD|13Ind

141、ustrySite ComplexityCritical VulnerabilitiesTime-to-Close Critical Vulnerabilities(days)Agriculture,Forestry,Fishing and HuntingSmall2-Medium0 Large0 Mining/Quarrying,and Oil/Gas ExtractionSmall0 Medium0 Large0 ConstructionSmall3234Medium2150Large1-Wholesale TradeSmall1120Medium11Large0 Real Estate

142、Rental and LeasingSmall27413Medium4158Large71Management of Companies and EnterprisesSmall2397Medium29Large0-ManufacturingSmall6614Medium22248Large2-Administrative Support and Waste Management Small35Medium0-Large1-Accommodation and Food ServicesSmall301Medium331Large51Arts,Entertainment,and Recreati

143、onSmall6234Medium8730Large1563Other Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingR

144、eal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Pub

145、lic Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Sup

146、port and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUti

147、litiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccom

148、modation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scient

149、ific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Fo

150、restry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth C

151、are and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManag

152、ement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance an

153、d InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic Administration

154、Other Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and Leas

155、ingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entert

156、ainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and

157、Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and Wareh

158、ousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWhol

159、esale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationFigure 5.Critical vulnerabilities identified and time-to-close by industry site complexityMining/Quarrying,Oil/Gas ExtractionBlackD|14Other Services(except Public Ad

160、ministration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support a

161、nd Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilities

162、Transportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodati

163、on and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,a

164、nd Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry

165、,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care an

166、d Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement

167、of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and Insu

168、ranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther

169、Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdm

170、inistrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainmen

171、t,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remedi

172、ation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and Warehousing

173、Professional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale

174、TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformati

175、on ServicesHealth Care and Social AssistanceEducational ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructi

176、onRetail TradeManagement of Companies and EnterprisesPublic AdministrationOther Services(except Public Administration)Arts,Entertainment,and RecreationUtilitiesTransportation and WarehousingProfessional,Scientific,and Technical ServicesInformation ServicesHealth Care and Social AssistanceEducational

177、 ServicesFinance and InsuranceManufacturingReal Estate and Rental and LeasingAdministrative and Support and Waste Management and Remediation ServicesAccommodation and Food ServicesWholesale TradeAgriculture,Forestry,Fishing and HuntingConstructionRetail TradeManagement of Companies and EnterprisesPu

178、blic AdministrationIndustrySite ComplexityCritical VulnerabilitiesTime-to-Close Critical Vulnerabilities(days)Educational ServicesSmall72342Medium35111Large691Finance and InsuranceSmall56528Medium58053Large15478Healthcare and Social AssistanceSmall36787Medium48630Large13920Information ServicesSmall2

179、35132Medium14037Large71111Other Services Small6538Medium5487Large443Professional,Scientific,and Technical ServicesSmall12490Medium9436Large12240Public AdministrationSmall152Medium402Large129Retail Trade Small34163Medium2917Large61Transportation and WarehousingSmall211Medium4713Large3221UtilitiesSmal

180、l28107Medium23876Large41Figure 5.(cont.)Critical vulnerabilities identified and time-to-close by industry site complexityBlackD|15DAST Runtime Analysis:DAST excels at identifying vulnerabilities that manifest only when the application is running.This includes issues that depend on the applications r

181、untime behavior,such as reflected and DOM-based Cross-Site Scripting vulnerabilities.Black-Box Real-World Attack Simulation:DAST simulates real-world attacks by interacting with the application as an external attacker would.This uncovers vulnerabilities that static analysis might miss,such as SQL In

182、jection vulnerabilities that arise from dynamic query construction or complex application logic.Detection of Complex Injection Vulnerabilities:While SAST can detect many Injection vulnerabilities,DAST is particularly effective at identifying those that are dependent on runtime conditions.For example

183、,DAST can more effectively detect LDAP Injection vulnerabilities by interacting with the application and observing its responses.Verification of Exploitability:DAST can confirm whether vulnerabilities identified by SCA in third-party components are exposed and exploitable in the running application.

184、Continuous Monitoring:DAST can be implemented as a continuous process in production environments,allowing for real-time detection of newly introduced vulnerabilities.This continuous monitoring is crucial for identifying issues in third-party components that may become vulnerable over time,and for ve

185、rifying the effectiveness of patches in the running application.Comprehensive Coverage of Web-Based Attacks:DAST can detect a wide range of web-based vulnerabilities,including Insufficient Transport Layer Protection,Missing Secure Headers,Information Leakage,and more.This comprehensive coverage help

186、s ensure that applications are protected against a variety of attack vectors.SAST Early Detection:SAST can catch potential coding weaknesses early in the development process,before the application is in a running state.Code-Level Analysis:SAST can identify issues like Improper Output Encoding,which

187、can lead to vulnerabilities such as Cross-Site Scripting.Comprehensive Code Coverage:SAST can analyze the entire codebase,including parts that might not be easily accessible during runtime testing.Identification of Certain Injection Vulnerabilities:While DAST is often more effective for runtime-spec

188、ific Injection issues,SAST can detect many instances of SQL Injection vulnerabilities,especially those that are apparent in the source code.Detection of Coding Flaws:SAST is particularly good at identifying coding errors that could lead to security vulnerabilities.Secure Coding Practices:SAST can he

189、lp enforce secure coding standards and best practices by identifying deviations from these standards early in the development process.Cost-Effective for Early Fixes:By identifying issues early in the development cycle,SAST allows for more cost-effective remediation of vulnerabilities.The Interplay o

190、f DAST,SAST,and SCAIn todays complex cybersecurity landscape,a comprehensive approach to application security is crucial.This section explores the interplay between DAST,SAST,and SCA,highlighting how these methodologies complement each other to provide robust security coverage.Comparative Strengths

191、in Detecting Specific Vulnerabilities Use SAST and SCA early and often in the development process to catch potential coding weaknesses or vulnerabilities introduced by third-party software.Implement DAST to test applications in preproduction environments and identify vulnerabilities that may only be

192、 apparent during execution.Prioritize vulnerabilities based on their criticality and exploitability in the running application.Best Practices for Integrating DAST,SAST,and SCABlackD|16SCA Identification of Known Vulnerabilities:SCA excels at identifying known vulnerabilities in third-party libraries

193、 and open source components.By cross-referencing the components used in an application against databases of known vulnerabilities,SCA can quickly highlight potential risks.Risk Prioritization:SCA tools often include risk-scoring mechanisms that help prioritize vulnerabilities based on their severity

194、 and potential impact.This allows organizations to focus their remediation efforts on the most critical issues first.Detailed Inventory of Dependencies:SCA provides a comprehensive inventory of all third-party components and the versions used within an application.This detailed inventory helps organ

195、izations understand their dependency landscape and manage it effectively.Early Detection of Vulnerable and Outdated Components:SCA is particularly effective at identifying components that are outdated or no longer maintained.License Compliance:Beyond security vulnerabilities,SCA also helps with the

196、management of legal risks by identifying the licenses of third-party components.This ensures that organizations comply with the licensing terms of the open source software they use.Early Detection in the Development Cycle:SCA can be integrated early in the development process,allowing developers to

197、identify and address vulnerabilities in third-party components before they become part of the production environment.This early detection helps reduce the overall risk and cost associated with fixing vulnerabilities later in the life cycle.Continuous Monitoring:SCA tools can continuously monitor thi

198、rd-party components,and alert organizations to new vulnerabilities as they are discovered.This ensures that applications remain secure over time,even as new threats emerge.While each methodology has its strengths,their true power lies in their combined use.This comprehensive approach is essential fo

199、r addressing the complex security challenges revealed in our analysis.Synergies Between Testing MethodologiesSAST+DASTSCA identifies potential vulnerabilities in components,while DAST verifies their exploitability in the running application.DAST provides continuous monitoring in production,complemen

200、ting SCAs static analysis.DAST can also verify the effectiveness of patches identified by SCA in the actual runtime environment.SCA detects known vulnerabilities in open source and third-party libraries,while SAST evaluates the source code,bytecode,or binary code of an application for vulnerabilitie

201、s without the need for execution.For Cross-Site Scripting,SAST identifies Improper Output Encoding,while DAST catches runtime-specific instances.For SQL Injection(example:CWE-89),SAST detects obvious vulnerabilities,while DAST identifies runtime-dependent issues.DAST+SCASCA+SAST+BlackD|17ConclusionT

202、he findings from our 2023-24 DAST analysis of 1,300 applications,systems,and servers across a wide spectrum of industry sectors reveal a pressing need for organizations to enhance their application security strategies.A total of 96,917 vulnerabilities were identified,with critical categories such as

203、 Sensitive Data Exposure and Injection vulnerabilities posing significant risks across various industries.The prevalence of these vulnerabilities30,726 instances of Sensitive Data Exposures and 4,814 instances of Injection vulnerabilities aloneunderscores the urgent need for organizations to priorit

204、ize their security efforts.DAST is not a“silver bullet”that will solve all web application security issues;however,DAST plays a crucial role in a comprehensive security program that also includes SAST and SCA as fundamental pillars.While SAST is effective at identifying coding flaws early in the dev

205、elopment process,and SCA provides valuable insights into third-party components,DAST excels at detecting runtime vulnerabilities and verifying the exploitability of identified issues.The interplay between these methodologies allows organizations to achieve a more holistic view of their security post

206、ure,addressing vulnerabilities that may otherwise go unnoticed.When it comes to preproduction and development environments,DAST solutions can be integrated into CI/CD pipelines to identify vulnerabilities early,accelerating remediation and reducing the cost of fixes.This approach is particularly val

207、uable for detecting issues that may manifest only in a running application,such as certain types of Injection vulnerabilities or unexpected interactions between services and components.DAST used in production offers additional benefits,especially for organizations dealing with complex,dynamic applic

208、ations or those in highly regulated industries.Production DAST can provide continuous monitoring,detecting vulnerabilities that arise due to configuration changes,newly discovered exploits,or changes in the applications runtime environment.Its particularly valuable for identifying issues with third-

209、party components that may become vulnerable over time,and for verifying the effectiveness of patches in the actual production environment.As organizations face an increasingly complex threat landscape,it is imperative that they adopt a multifaceted approach to application security.This includes inte

210、grating DAST,SAST,and SCA into their development and deployment processes.By doing so,organizations can identify and remediate vulnerabilities more effectively,as well as ensure compliance with regulatory requirements while maintaining customer trust.This reports findings make it crystal clear that

211、organizations in every industry need to take proactive steps to enhance their security posture.By implementing these measures,organizations can significantly reduce their risk exposure and better protect their sensitive data and critical systems from emerging threats.|18Black Duck offers the most co

212、mprehensive,powerful,and trusted portfolio of application security solutions in the industry.We have an unmatched track record of helping organizations around the world secure their software quickly,integrate security efficiently in their development environments,and safely innovate with new technol

213、ogies.As the recognized leaders,experts,and innovators in software security,Black Duck has everything you need to build trust in your software.Learn more at .2024 Black Duck Software,Inc.All rights reserved.Black Duck is a trademark of Black Duck Software,Inc.in the United States and other countries.All other names mentioned herein are trademarks or registered trademarks of their respective owners.October 2024About Black D|18