REDWOOD CITY, Calif., April 25, 2023 — Synack, the premier security testing platform, today released its inaugural State of Vulnerabilities report highlighting the top three software flaws found by the company’s global network of elite security researchers.
The findings are based on a record 14,800 exploitable vulnerabilities uncovered in 2022 by the Synack Red Team (SRT), a community of the world’s most trusted and skilled ethical hackers.
Broken access control issues posed the most common risk to Synack customers last year, making up 39% of all vulnerabilities discovered during pentesting engagements, according to the report. Injection flaws – including cross-site scripting (XSS) and SQL vulnerabilities – came in second as researchers routinely found ways to bypass perimeter defenses. The third most common vulnerability, identification and authentication failures, accounted for 6% of all accepted SRT submissions.
“Organizations are struggling to secure their attack surfaces as adversaries find increasingly creative ways to exploit well-known vulnerabilities,” said Synack CEO and co-founder Jay Kaplan. “Our first-ever State of Vulnerabilities report underscores the importance of continuous security testing to fix these gaps and address their root causes before they lead to a costly breach.”
The report draws on data from security assessments carried out on Synack’s global customer base and aligns with vulnerability categories in the OWASP Top 10 standard awareness document. The 1,500+ members of the SRT collectively spent 35,700 days testing Synack customer assets last year, including cloud, application programming interface, web application, host infrastructure and mobile attack surfaces.
Other takeaways from the report:
- 40% of vulnerabilities in 2022 ranked as “high” or “critical” in severity under the Common Vulnerability Scoring System
- XSS vulnerabilities fell by 44% from 2021 to 2022 as organizations deployed more effective defensive techniques
- Exploitable API vulnerabilities have emerged as a fast-growing risk
To read the full report, please visit the State of Vulnerabilities 2023.
Synack’s premier on-demand security testing platform harnesses a talented, vetted community of security researchers and smart technology to deliver continuous penetration testing and vulnerability management, with actionable results. We are committed to making the world more secure by closing the cybersecurity skills gap, giving organizations on-demand access to the most trusted security researchers in the world. Headquartered in Silicon Valley with regional teams around the world, Synack protects federal agencies, DoD classified assets and a growing list of Global 2000 customers.