scroll it

State of Vulnerabilities Report Uncovers Spike in Severity, Progress in Remediation

0% read

2024 report includes industry-by-industry breakdown and analysis of vulnerabilities 

REDWOOD CITY, Calif., June 20, 2024 — Synack, the premier security testing platform, today released its second annual State of Vulnerabilities report, which combines hundreds of thousands of hours of penetration testing and an analysis of over 14,000 exploitable vulnerabilities to give a direct look at severity, volume and remediation trends of software flaws across industries.

“Understanding your attack surface and how successful exploitation of vulnerabilities could impact your organization is crucial to making smart security and business decisions,” said Jay Kaplan, CEO and co-founder of Synack. “We’re proud to release Synack’s second annual State of Vulnerabilities Report to help organizations in the healthcare, financial services, federal government, technology and manufacturing sectors understand what vulnerabilities they’re up against and how they can stay one step ahead of attackers. We’re seeing a lot of reasons to be optimistic, but that doesn’t mean the threat is diminishing.”

Critical-severity vulnerabilities rise, but remediation times improve

The Synack Red Team (SRT), a community of the world’s most trusted and skilled ethical hackers, discovered that across industries, customers experienced a higher share of critical-severity vulnerabilities in 2023 than in 2022, and a slight reduction in high-severity vulnerabilities. Despite mounting pressures on security teams, the organizations reduced their mean time to remediation for critical-severity vulnerabilities by 24 days and high-severity vulnerabilities by 18 days, down to 56 and 74 days, respectively. 

However, the report identified the same categories of vulnerabilities persisting year after year, indicating increased threats surrounding injection flaws, which were highlighted in a recent Secure by Design Alert by the Cybersecurity and Infrastructure Security Agency. The healthcare and technology sectors both saw an increase in SQL injections, and injection flaws including XSS accounted for roughly a third of all vulnerabilities Synack discovered in 2023.

Industry-by-industry breakdown

Synack’s report reveals key findings for top-ranking vulnerabilities and remediation times for the healthcare, financial services, federal government, technology and manufacturing sectors. 

Below are some key trends identified when looking at across the five industries:

  • On average, healthcare companies had more than 5,400 subdomains, 1,500 web applications and 1,400 IP addresses publicly exposed – the biggest attack surface of any industry vertical reviewed. 
  • Of vulnerabilities found, nearly 1,900 were SQL injections rating as critical or high-severity. 
  • Injection flaws magnified sectors’ security strengths and weaknesses. On average, financial services companies took 53 days to remediate SQL injection vulnerabilities, technology companies remediated them in 57 days and healthcare companies took just 45 days for remediation.

The report draws on data from security assessments carried out on Synack’s global customer base and aligns with vulnerability categories in the OWASP Top 10 standard awareness document. The 1,500+ members of the SRT collectively spent over 27,000 days testing Synack customer assets last year, including cloud, application programming interface, AI large language model (LLM), web application, host infrastructure and mobile attack surfaces.

To read the full report, please visit: