What We Learned from Our Vulnerabilities Benchmark Report

4 min readMar 11, 2021

We published our first “Vulnerabilities Benchmark Report” (download it here) last week, a synthesis of anonymous data from tens of thousands of students on our training platform, representing hundreds of companies across multiple industries. During the process of developing the report, we were stunned by some of our findings.

One example is the fact that injection vulnerabilities have been either #1 or #2 on the OWASP Top 10 for 14 years! When we dug into the reasons why the statistic has remained unchanged for as long as it has, it made a lot more sense. Injection vulnerabilities are the ones that are most often fixed incorrectly. So while development and QA teams may think that they’ve taken care of a weakness in their software after it’s initially flagged, the reality may be different.

Another startling discovery we made is that the most problematic vulnerability reported by our customers is the use of components with known vulnerabilities. It seems counterintuitive that companies would continue to use software components that they know have vulnerabilities. When we delve into the realities of the contemporary development lifecycle, however, we begin to understand why it’s a problem, and why it could remain an issue for a while.

Development teams are under increasing pressure to deliver more code, more quickly, than ever before. A Dimensional Research report titled “The Emergence of Big Code” states that over 50% of developers surveyed say that today, they have to work with 100x the volume of code that they had to work with ten years ago, and 90% of them report that they are under pressure to release code faster than ever before. Using open source or third party code components is a common solution to the problem of doing more with less time. Since this demand is unlikely to change (and likely will get worse), the use of pre-packaged code will likely persist.

The problems associated with shorter software development lifecycles can manifest themselves in numerous ways. For the developers behind open source and third party components, it could mean delays in developing and releasing patches to fix vulnerabilities because they’re focused on their roadmap. For the programmers who rely on these components, it may mean being slow to implement the patches…

What We Learned from Our Vulnerabilities Benchmark Report

Written by Jared Ablon

More from Jared Ablon

How to Add Automation into a Secure SDLC (DevSecOps)

How to Add Automated Operations into a Seamless Secure Coding Practices Workflow

How to prevent SQL Injection vulnerabilities: How Prepared Statements Work

Read the full post here: https://blog.hackedu.com/how-to-prevent-sql-injection-vulnerabilities-how-prepared-statements-w

What Are Security Champion Responsibilities

Your company has decided to add security champions to improve your overall security postures, and you’ve chosen great candidates to take…

Secure Code Review Best Practices

Originally posted here: https://blog.hackedu.com/secure-code-review-best-practices

Recommended from Medium

22.6k+ GitHub Stars Note-Taking App Hit by XSS Vulnerability

CVE-2023–3067: Stored Cross Site Scripting Vulnerability on renowned note-taking thick client app Trillium

The ChatGPT Hype Is Over — Now Watch How Google Will Kill ChatGPT.

It never happens instantly. The business game is longer than you know.

Lists

General Coding Knowledge

Stories to Help You Grow as a Software Developer

Leadership

It's never too late or early to start something

Mastering Reconnaissance with Project Discovery

Dissect your target during reconnaissance with Project Discovery

The Architecture of a Modern Startup

Hype wave, pragmatic evidence vs the need to move fast

10 Seconds That Ended My 20 Year Marriage

It’s August in Northern Virginia, hot and humid. I still haven’t showered from my morning trail run. I’m wearing my stay-at-home mom…

Building a Secure Cybersecurity Research Lab: A Journey of Isolation and Exploration

Introduction