Black Duck’s ‘2024 Software Vulnerability Snapshot’ Highlights High-Risk Sectors
Finance and Insurance Sectors Found to Have the Highest Number of Critical Vulnerabilities
Black Duck® Software, Inc. has announced the publication of the “2024 Software Vulnerability Snapshot” report highlighting various industries’ unique challenges and approaches to addressing software vulnerabilities. The report, which analyses data from over 200,000 dynamic application security testing (DAST) scans conducted by Black Duck on approximately 1,300 applications across 19 industry sectors from June 2023 to June 2024, found significant variations in vulnerability types and remediation practices.
The findings of the 2024 Software Vulnerability Snapshot provide insights into the current state of security for web-based applications and systems and the potential impact of security vulnerabilities on business operations in high-risk sectors such as Finance, Insurance, and Healthcare. Notably, the report identified that the Finance and Insurance sector had the highest number of critical vulnerabilities (1,299), and the Healthcare and Social Assistance sector had the second-highest (992) within the data set.
2024 Software Vulnerability Snapshot Finds Alarming Trends
Of the 96,917 total vulnerabilities identified, the two most critical categories identified by the 2024 Software Vulnerability Snapshot were cryptographic failures (weaknesses in how an application secures sensitive information), with over 30,000 instances, and injection vulnerabilities (when malicious code tricks an application into executing unintended actions or accessing data without proper authorisation), with just over 4,800 instances. Both pose significant threats to data across all industries, and potential breaches could lead to the theft of personally identifiable information (PII), financial data, and medical records, resulting in severe financial losses and reputational damage.
Additionally, the 2024 Software Vulnerability Snapshot found that there is no one-size-fits-all timeline for remediation approaches. In fact, there’s significant variance when it comes to the mean time to remediate (MTTR) across industries, with stringent regulations forcing Finance and Insurance to move quicker (28 days for smaller/lower complexity web assets), compared to the Utilities sector, which had the longest time to close (107 days for smaller/lower complexity web assets). This is likely due to the sector operating on legacy systems that are difficult to patch and update.
Operational disruptions pose a large business risk, no matter the industry. The research found that widespread security misconfigurations (98% of applications affected) threaten business continuity and service availability.
“The high number of vulnerabilities found from the past year is a clear wake-up call that businesses cannot remain stagnant when deploying new security measures,” said Jason Schmitt, CEO at Black Duck. “The longer it takes for an organisation to patch a vulnerability, the larger the chance of exploitation. Software risk equates to business risk, and with today’s malicious actors being more sophisticated than ever, it’s increasingly important that businesses across every sector build trust in their software by implementing a comprehensive and integrated approach.”
To learn more, download a copy of the “2024 Software Vulnerability Snapshot” report, read the detailed blog post, or register for the upcoming November 26 webinar.
