DevOps

Application Security Testing Statistics

Explore key Application Security Testing (AST) statistics to better understand the process and how it can improve application security for your organization.

AST Statistics Cover

One of the core goals for software development is to create an application that is scalable and flexible, while also remaining secure. It must meet the requirements of the clients, without creating any scope for vulnerabilities or increasing risk.

One way of reaching this middle ground between usability and security is Application Security Testing (AST). This aims to discover all the weak points in the product so that they can be properly addressed. Performing application security tests helps to ensure that the application is resistant to multiple threat types and also ensures that any issues within the application are resolved before it is deployed, and before they can be exploited.

Expert Insights have gathered reports that explore the application security testing market to identify key statistics that provide insights into the AST market, security trends, and vulnerabilities.


Market Statistics 


Crowdstrike 2024 State Of Application Security Report 

This report from CrowdStrike takes a look into how organizations today are managing and securing modern, frequently changing applications. It found that:

  • Only 54% of major code changes go through full security reviews. Additionally, in 22% of organizations, less than a quarter of their code is subject to full security checks. 
  • 81% of organizations report that traditional security reviews take longer than one business day, and 35% report it taking longer than three business days.
  • 90% of security teams use three or more tools to detect and prioritize application vulnerabilities.
  • 70% of critical issues take 12 hours or longer to resolve.

Vulnerabilities 

The OWASP Top 10 is a standard document that outlines some of the most prevalent application security risks that developers should be aware of. These vulnerabilities make up the current OWASP Top 10:

  1. Broken Access Control 
  2. Cryptographic Failures 
  3. Injection 
  4. Insecure Design 
  5. Security Misconfiguration 
  6. Vulnerable and Outdated Components 
  7. Identification and Authentication Failures 
  8. Software and Data Integrity Failures 
  9. Security Logging and Monitoring Failures 
  10. Server-Side Request Forgery (SSRF)

According to SISA, these are the most common types of application security vulnerabilities:

  • SQL injection attacks 
  • Broken authentication mechanisms / poorly implemented identity and access controls 
  • Cross-site scripting attacks 
  • Modular program and container security 
  • Checking networking and communication streams 

These are the kinds of issues that SAST, DAST, and other types of tools can help uncover before they reach production.


2024 Software Vulnerability Snapshot Report by Blackduck

This annual report from Blackduck is in its third year and aims to provide valuable insights into the current state of security for web-based applications and systems, by looking into the potential impact of security vulnerabilities on business operations. Sectors like healthcare, finance, and insurance are deemed as high-risk. The report found that:

  • The industries with the highest rate of application security vulnerabilities are finance, insurance, healthcare, social assistance, and information services
  • SMBs tended to have more critical vulnerabilities than larger enterprises, especially in the finance industry
  • The most common OWASP Top 10 vulnerability seen across industries was security misconfigurations; this had a prevalence rate of 98% per client. 84% of the identified misconfigurations were considered “informational” vulnerabilities, meaning that they could potentially disclose sensitive information, but don’t pose a specific security risk. 
  • The second most common OWASP vulnerability found across organizations was cryptographic failures with a prevalence per client of 86%.
  • According to BlackDuck’s report, organizations should implement the following processes to keep their code secure:
  • Use SAST and SCA (Software Composition Analysis) early and often in the development process to catch potential coding weaknesses or vulnerabilities introduced by third-party software.
  • Implement DAST to test applications in preproduction environments and identify vulnerabilities that may only be apparent during execution.
  • Prioritize vulnerabilities based on their criticality and exploitability in the running application.

Some related articles from Expert Insights: