Software Vulnerability Snapshot Report Findings

The 2024 analysis identified a total of 96,917 vulnerabilities, with several critical issues standing out.

• Cryptographic Failures (Sensitive Data Exposure): This category accounted for 30,726 vulnerabilities, including 4,882 critical-risk instances. Affecting 86% of clients, it represents one of the most common and serious security issues across industries.
• Injection Vulnerabilities: 4,814 vulnerabilities were found in this category, with over half of those (2,491) critical instances. Injection vulnerabilities, which include SQL Injection and Cross-Site Scripting (XSS), pose significant security threats due to their potential for data theft and system compromise.
• Security Misconfigurations: This vulnerability category affected 98% of the clients scanned, with over 36,000 vulnerabilities identified. While many of those vulnerabilities were classified as “informational” by Black Duck experts (that is, no immediate action was indicated), they still represent potential security risks.

Black Duck uses a proprietary metric to rank the relative “site complexity” of web applications assessed by Continuous Dynamic. Applications with less complexity may have minimal interactivity and a simple crawl tree—that is, a straightforward structure of URLs. Higher-complexity applications may have many interactive elements and dynamically generated content. Sites are ranked as small, medium, and large based on the complexity of the applications they contain.

In the scans detailed in the “2024 Software Vulnerability Snapshot” report, small- and medium-complexity sites tended to have more critical vulnerabilities than larger-complexity sites, particularly in the Finance and Insurance sector. This metric suggests that many organizations are underestimating the security needs of sites containing fewer complex applications. Breaking down the numbers

• Finance and Insurance: This sector had the highest number of critical vulnerabilities (1,299), indicating substantial risk in this highly regulated sector.
• Healthcare and Social Assistance: This sector followed closely with 992 critical vulnerabilities, raising concerns about patient data protection and regulatory compliance.
• Information Services: This sector recorded 446 critical vulnerabilities, highlighting the need for robust security in data-centric industries.

The report also revealed significant variations in vulnerability remediation times across industries.

• Utilities: Organizations in this sector had the longest time-to-close for critical vulnerabilities, with smaller-complexity sites taking 107 days and medium-complexity sites taking 876 days on average.
• Educational Services: This sector also showed extended closure times, with small-complexity sites taking 342 days and medium-complexity sites taking 111 days.
• Finance and Insurance: This sector demonstrated faster response times, closing critical vulnerabilities in 28 days for small-complexity sites, 53 days for medium-complexity sites, and 78 days for larger-complexity sites.
• Healthcare and Social Assistance: This sector showed improvement in larger-complexity sites. Scan revealed closure times of 87 days for small-complexity sites, 30 days for medium-complexity sites, and 20 days for larger-complexity sites.

These variations highlight the impact of resource allocation and regulatory pressures on security initiatives across different sectors. it.