The core of Fortify and its mission is around enabling organizations to deliver secure software. Research is at the heart of that core goal. In order to achieve this, the Software Security Research team focuses on:
Superior Detection
Enabling the Fortify suite of tools with accurate detection of the most severe vulnerabilities across the widest footprint of languages, frameworks, and systems.
Accelerating Remediation
Arming developers with actionable guidance and clear, context sensitive remediation advice that allows them to efficiently neutralize security issues in their applications.
Tip of the Spear
Leading the software security industry with world-class research that builds upon existing work while exploring new vulnerability frontiers.
When it comes to data to research each year for the AppSec Risk Report, Fortify has a massive insight advantage with Fortify on Demand (FoD).
Fortify on Demand (FoD) platform utilizes the data from 11,000 web applications and 700 mobile applications collected over the course of a year (October 31, 2017 and October 31, 2018) and then anonymized and sanitized vulnerability data.
The Application Security Risk Report for this year is once again loaded with valuable insight and metrics that you don’t want to miss. In the meantime though, here are some of the key takeaways to hold you over until you can crack open a beer or two and dive into the report yourself.
As a fraction of the population, criticality is on the decline:
- High-severity issues are at the lowest level in four years at 26% (compared to 31% in 2017 and 40% in 2016)
- Medium-severity increased to 59%, (compared to 48% in 2009)
- Low-severity vulnerabilities increased to 15% in 2018 (compared to 5% in 2009)
Different weaknesses reach new peaks in different years
- Code execution (2018)
- XSS (2018)
- Bypass (2018)
- CSRF (2018)
- DDoS (2017)
- Overflow (2017)
- Directory Traversal (2017)
- Memory Corruption (2015)
- Gain information (2014)
- SQL Injection (2008)
- File inclusion (2006)
Severe weaknesses prevalent in majority of applications
50-60% of applications consistently suffer from Input Validation and Representation flaws
Severe weaknesses prevalent in majority of applications
4 out of 5 tested applications had at least one critical or high severity issue.
Industry standards and legislation provide incomplete security coverage
Specific standards may not provide complete coverage of weaknesses. Sixty-one percent of applications had at least one Critical and High Issue NOT covered by OWASP Top 10.
Compliance blind spots increase: Issues not covered regulatory mapping were up year over year (YOY).
Critical and High Issues NOT covered by OWASP Top 10 were up 12% YOY.
Open source blind spots increased
Among the top movers in applications with vulnerabilities mapped to the OWASP TOP 10:
A9 Using Components with Known Vulnerabilities had a significant 16% increase.
Critical vulnerabilities up 22% YOY in referenced components
87% of the applications inherit a critical severity vulnerability from referenced components—up by 22% since 2017.
This is part of a blog series pulling out some of the insights from The 2019 Application Security Risk Report. Part one highlighted the 2019 AppSec Risk Report Key Takeaways and part two discussed publicly-disclosed security issues reaching the highest level ever recorded. Part three pointed out that research shows that severe weaknesses are prevalent in a majority of applications. Part four discusses how the research shows reliance on open source components can be risky. Check out the blogs and the report and share your feedback below.
About Micro Focus Fortify.
Fortify offers end-to-end application security solutions with the flexibility of testing on-premises and on-demand to cover the entire software development lifecycle. Complete software security assurance with Fortify on Demand -our application security as a service - integrates static, dynamic and mobile AppSec testing with continuous monitoring for web apps in production.