What We Learned from Our Vulnerabilities Benchmark Report

We published our first “Vulnerabilities Benchmark Report” (download it here) last week, a synthesis of anonymous data from tens of thousands of students on our training platform, representing hundreds of companies across multiple industries. During the process of developing the report, we were stunned by some of our findings.

One example is the fact that injection vulnerabilities have been either #1 or #2 on the OWASP Top 10 for 14 years! When we dug into the reasons why the statistic has remained unchanged for as long as it has, it made a lot more sense. Injection vulnerabilities are the ones that are most often fixed incorrectly. So while development and QA teams may think that they’ve taken care of a weakness in their software after it’s initially flagged, the reality may be different.

Another startling discovery we made is that the most problematic vulnerability reported by our customers is the use of components with known vulnerabilities. It seems counterintuitive that companies would continue to use software components that they know have vulnerabilities. When we delve into the realities of the contemporary development lifecycle, however, we begin to understand why it’s a problem, and why it could remain an issue for a while.