Beat The Heat

Security Flaw Heat Map

Avoid getting burned by security defects. Click the vulnerabilities below to reveal data from our
State of Software Security Volume 11 and to learn how to stay cool with secure coding practices.

.NET

62.8%
Information Leakage

Gain real-world practice with vulnerability scenarios in modern web applications by exploiting and patching containerized apps right from your browser.

Sign up

What it is

Information leakage can take on many forms. At a high level, it's as simple as your application making information or data available to users that shouldn't be available. Threat actors can use leaked information to find and exploit vulnerabilities in your application or simply steal the leaked data.

The Data

The most common flaw type in .NET (62.8%) and PHP (63.3%) applications is information leakage.

Source: State of Software Security Volume 11

The Fix

Mitigating information leakage relies on secure coding practices and implementing security testing procedures as you develop code. Doing so will help ensure that you catch flaws or vulnerabilities where sensitive information is exposed.

53.6%
Code Quality

What it is

Code quality refers to weaknesses in your code that can indicate to threat actors and attackers that the application has not been carefully developed or maintained. While code quality does not directly introduce flaws into your applications, it causes unpredictable app behavior that is easily abused.

The Data

Code quality issues occur in a whopping 60.4% of applications that have a security flaw and is one of the most common types of flaw.

Source: State of Software Security Volume 11

The Fix

Prevent poor code quality by practicing secure coding methodologies, utilizing consistent coding patterns, and automating security testing in your SDLC.

48.8%
Insufficient Input Validation

Gain real-world practice with vulnerability scenarios in modern web applications by exploiting and patching containerized apps right from your browser.

Sign up

What it is

Insufficient input validation occurs when input or data is not validated properly. This flaw is potentially dangerous as it can allow threat actors to perform Cross-Site Scripting (XSS), as well as SQL injection attacks.

The Data

Insufficient input validation vulnerabilities occur in about half (48.1%) of applications.

Source: State of Software Security Volume 11

The Fix

In addition to implementing secure coding practices, perform automated static analysis (SAST) and dynamic analysis (DAST) scans. This will help you detect insufficient input validation.

45.9%
Cryptographic Issues

What it is

Cryptographic flaws include improperly validating certificates, using broken crypto algorithms, employing inadequate encryption strength, and storing sensitive information in cleartext. This flaw can lead to stolen or destroyed data — including your organization's most sensitive information.

The Data

Cryptographic issues are found in nearly two-thirds (63.7%) of applications.

Source: State of Software Security Volume 11

The Fix

Cryptographic vulnerabilities are preventable with secure coding practices. Most major languages inherently support good cryptographic practices, and concerns over incorrect implementation typically arise only on a case-by-case basis.

35.4%
Directory Traversal

What it is

Directory traversal, also sometimes known as path traversal, is a type of HTTP exploit used by threat actors to gain unauthorized access to restricted directories and files. This vulnerability uses web server software to exploit inadequate security mechanisms and access directories, as well as files stored outside of the web root folder.

The Data

Directory traversal flaws are found in nearly half (47.8%) of applications.

Source: State of Software Security Volume 11

The Fix

An attacker that exploits a directory traversal flaw can compromise the entire web server. To mitigate directory traversals, make sure you follow secure coding practices and validate user input from browsers, use filters to block certain user input, keep your web server software up to date with patches, and run frequent static analysis scans.

25.3%
CRLF Injection

What it is

CRLF injection is a Carriage Return or Line Feed (CRLF) exploit. When threat actors inject a CRLF sequence into an HTTP stream, it enables them to maliciously manipulate a web application's functions.

The Data

CRLF injection exploits are rampant, appearing in a sizeable 65.4% of applications.

Source: State of Software Security Volume 11

The Fix

Prevent CRLF injection flaws by never trusting user input. Sanitize user-supplied data with proper validation and encoding, and be sure to properly encode output in HTTP headers.

24.0%
Cross-Site Scripting (XSS)

What it is

Cross-Site Scripting (XSS) flaws permit attackers to inject client-side scripts into an application. They lead to a wide attack surface for threat actors to hijack user accounts, spread worms and Trojans, access browser history and clipboard contents, control the browser remotely, and exploit online appliances and applications.

The Data

89.9% of XSS flaws in open source libraries have a fix in a published updated version.

Source: State of Software Security: Open Source Edition

The Fix

You can prevent these vulnerabilities with secure coding practices. For example, always sanitize input from search fields and forms by validating that it's the expected content for the field and then encoding it for the "endpoint."

19.9%
Credentials Management

What it is

A credentials management attack is an exploit that attempts to breach username and password pairs to take control of user accounts. If threat actors are successful, they can steal, alter, or erase data, install malware, gain deeper access to your files and systems, and even initiate transactions.

The Data

Credentials management flaws occur in nearly half (48.3%) of applications.

Source: State of Software Security Volume 11

The Fix

Reduce your risk of an attack by storing encrypted passwords in restricted locations and avoid utilizing hard-coded credentials. For inbound authentication using passwords, we recommend using strong one-way hash functions and storing them in a protected configuration file or database.

12.7%
SQL Injection

What it is

SQL injection vulnerabilities allow attackers to gain unauthorized access to backend databases. They do so by using malicious SQL statements as input for improper data handling.

The Data

SQL injection flaws occur in 27.8% of applications.

Source: State of Software Security Volume 11

The Fix

Prevent SQL injection attacks with secure coding practices, such as utilizing a parameterized query. Doing so will treat the input data as a parameter of the query and not as a potentially dangerous extension of the query.

12.4 %
Encapsulation

What it is

An encapsulation attack occurs when applications fail to differentiate data or functionality within components. This allows bad code to move from component to component, which threat actors can exploit through unauthorized access to functions and data.

The Data

Encapsulation exists in over 29% of applications.

Source: State of Software Security Volume 11

The Fix

If you find an encapsulation flaw, block access to the affected application, database, or system until you can fully protect it. Also, make sure to back up your data and information so that you can return to business as usual if there is a ransomware attack.

C++

66.5%
Error Handling

What it is

Error handling issues can introduce security risk, as attackers may use improperly managed error messages to access your system, exploit flaws, uncover sensitive data, and more.

The Data

Error handling shows up in just 5.5% of applications.

Source: State of Software Security Volume 11

The Fix

Provide error messages that are clear and valuable without revealing sensitive system or application details. Make sure to test your sites and resources for errors and learn how they respond so that you can remediate them more efficiently.

46.8%
Buffer Management Errors

Gain real-world practice with vulnerability scenarios in modern web applications by exploiting and patching containerized apps right from your browser.

Sign Up

What it is

A buffer management error potentially allows a threat actor to execute arbitrary code remotely, which can change the behavior of an application.

The Data

Buffer management errors occur in just 2% of applications.

Source: State of Software Security Volume 11

The Fix

To avoid buffer management errors, use binary static application security testing (SAST) technology to scan for vulnerabilities, especially when using open source code.

45.8%
Numeric Errors

What it is

Numeric errors are weaknesses that relate to the improper conversion or calculation of numbers within your code.

The Data

Numeric errors occur in just 1.5% of applications.

Source: State of Software Security Volume 11

The Fix

Make sure to check your numbers and calculations before implementing changes to your code. Avoid making conversions between numeric types if possible, and always check for the allowed ranges. Implement secure coding practices to get ahead of common flaws and exploits.

41.9%
Directory Traversal

What it is

Directory traversal, also sometimes known as path traversal, is a type of HTTP exploit used by threat actors to gain unauthorized access to restricted directories and files. This vulnerability uses web server software to exploit inadequate security mechanisms and access directories, as well as files stored outside of the web root folder.

The Data

Directory traversal flaws are found in nearly half (47.8%) of applications.

Source: State of Software Security Volume 11

The Fix

An attacker that exploits a directory traversal flaw can compromise the entire web server. To mitigate directory traversals, make sure you follow secure coding practices and validate user input from browsers, use filters to block certain user input, keep your web server software up to date with patches, and run frequent static analysis scans.

40.2%
Cryptographic Issues

What it is

Cryptographic flaws include improperly validating certificates, using broken crypto algorithms, employing inadequate encryption strength, and storing sensitive information in cleartext. This flaw can lead to stolen or destroyed data — including your organization's most sensitive information.

The Data

Cryptographic issues are found in nearly two-thirds (63.7%) of applications.

Source: State of Software Security Volume 11

The Fix

Cryptographic vulnerabilities are preventable with secure coding practices. Most major languages inherently support good cryptographic practices, and concerns over incorrect implementation typically arise only on a case-by-case basis.

36.6%
Code Quality

What it is

Code quality refers to weaknesses in your code that can indicate to threat actors and attackers that the application has not been carefully developed or maintained. While code quality does not directly introduce flaws into your applications, it causes unpredictable app behavior that is easily abused.

The Data

Code quality issues occur in a whopping 60.4% of applications that have a security flaw and is one of the most common types of flaw.

Source: State of Software Security Volume 11

The Fix

Prevent poor code quality by practicing secure coding, utilizing consistent coding patterns, and automating security testing in your SDLC.

35.3%
Buffer Overflow

What it is

Buffer overflow issues are common coding mistakes that potentially allow a threat actor to access your system and crash it, or even to use it to create an entry point for an attack. C and C++ languages are more susceptible to buffer overflow flaws.

The Data

A sizeable 59% of C++ applications have high (and very high) severity flaws.

Source: State of Software Security Volume 11

The Fix

To prevent buffer overflow mistakes, use a binary SAST technology to scan for vulnerabilities, especially when using open source code. Make sure to avoid standard library functions that are not bounds-checked with C and C++ applications.

30.2%
Race Condition

What it is

A race condition flaw occurs when a system is forced to perform two or more operations at once when it is designed to handle the tasks in a certain sequence. These exploits are difficult to execute, but if successful, threat actors can steal data, inject malicious code, deactivate controls, and more.

The Data

Race condition occur in just 8.5% of applications.

Source: State of Software Security Volume 11

The Fix

You can prevent race conditions by implementing secure coding practices, as well as by scanning and reviewing your code through static analysis to look for race condition vulnerabilities.

25.0%
Potential Backdoor

Gain real-world practice with vulnerability scenarios in modern web applications by exploiting and patching containerized apps right from your browser.

Sign up

What it is

Potential backdoor flaws may occur when threat actors discover "back end" access to an application, such as through cryptographic keys or hard-coded credentials, allowing them access to files.

The Data

Potential backdoor vulnerabilities occur in 9.7% of applications.

Source: State of Software Security Volume 11

The Fix

Combine secure coding best practices with automated security testing in your developer workflow to find and fix backdoor flaws in your code before they become a problem.

22.4%
Untrusted Initialization

What it is

Untrusted initialization flaws are a result of threat actors having control of parameters or system settings through external means. This can lead to interrupted service to customers or cause odd application performance.

The Data

Untrusted Initialization flaws are fairly negligible for most applications, showing up in about 22% of apps utilizing C++.

Source: State of Software Security Volume 11

The Fix

Implement proper secure coding processes and scan your code using static and dynamic analysis testing tools to identify and fix application weaknesses.

Java

64.4%
CRLF Injection

What it is

CRLF injection is a Carriage Return or Line Feed (CRLF) exploit. When threat actors inject a CRLF sequence into an HTTP stream, it enables them to maliciously manipulate a web application's functions.

The Data

CRLF injection exploits are rampant, appearing in a sizeable 65.4% of applications.

Source: State of Software Security Volume 11

The Fix

Prevent CRLF injection flaws by never trusting user input. Sanitize user-supplied data with proper validation and encoding, and be sure to properly encode output in HTTP headers.

54.3%
Code Quality

Gain real-world practice with vulnerability scenarios in modern web applications by exploiting and patching containerized apps right from your browser.

Sign up

What it is

Code quality refers to weaknesses in your code that can indicate to threat actors and attackers that the application has not been carefully developed or maintained. While code quality does not directly introduce flaws into your applications, it causes unpredictable app behavior that is easily abused.

The Data

Code quality issues occur in a whopping 60.4% of applications that have a security flaw and is one of the most common types of flaw.

Source: State of Software Security Volume 11

The Fix

Prevent poor code quality by practicing secure coding methodologies, utilizing consistent coding patterns, and automating security testing in your SDLC.

51.9%
Information Leakage

What it is

Information leakage can take on many forms. At a high level, it's as simple as your application making information or data available to users that shouldn't be available. Threat actors can use leaked information to find and exploit vulnerabilities in your application or simply steal the leaked data.

The Data

Information leakage exists in over 60% of applications.

Source: State of Software Security Volume 11

The Fix

Mitigating information leakage relies on secure coding practices and implementing security testing procedures as you develop code. Doing so will help ensure that you catch flaws or vulnerabilities where sensitive information is exposed.

43.3%
Cryptographic Issues

What it is

Cryptographic flaws include improperly validating certificates, using broken crypto algorithms, employing inadequate encryption strength, and storing sensitive information in cleartext. This flaw can lead to stolen or destroyed data — including your organization's most sensitive information.

The Data

Cryptographic issues are found in nearly two-thirds (63.7%) of applications.

Source: State of Software Security Volume 11

The Fix

Cryptographic vulnerabilities are preventable with secure coding practices. Most major languages inherently support good cryptographic practices, and concerns over incorrect implementation typically arise only on a case-by-case basis.

30.4%
Directory Traversal

Gain real-world practice with vulnerability scenarios in modern web applications by exploiting and patching containerized apps right from your browser.

Sign up

What it is

Directory traversal, also sometimes known as path traversal, is a type of HTTP exploit used by threat actors to gain unauthorized access to restricted directories and files. This vulnerability uses web server software to exploit inadequate security mechanisms and access directories, as well as files stored outside of the web root folder.

The Data

Directory traversal flaws are found in nearly half (47.8%) of applications.

Source: State of Software Security Volume 11

The Fix

An attacker that exploits a directory traversal flaw can compromise the entire web server. To mitigate directory traversals, make sure you follow secure coding practices and validate user input from browsers, use filters to block certain user input, keep your web server software up to date with patches, and run frequent static analysis scans.

26.5%
Credentials Management

What it is

A credentials management attack is an exploit that attempts to breach username and password pairs to take control of user accounts. If threat actors are successful, they can steal, alter, or erase data, install malware, gain deeper access to your files and systems, and even initiate transactions.

The Data

Credentials management flaws occur in nearly half (48.3%) of applications.

Source: State of Software Security Volume 11

The Fix

Reduce your risk of an attack by storing encrypted passwords in restricted locations and avoid utilizing hard-coded credentials. For inbound authentication using passwords, we recommend using strong one-way hash functions and storing them in a protected configuration file or database.

25.2%
Cross-Site Scripting (XSS)

What it is

Cross-Site Scripting (XSS) flaws permit attackers to inject client-side scripts into an application. It leads to a wide attack surface for threat actors to hijack user accounts, spread worms and Trojans, access browser history and clipboard contents, control the browser remotely, and exploit online appliances and applications.

The Data

89.9% of XSS flaws in open source libraries have a fix in a published updated version.

Source: State of Software Security Volume 11

The Fix

You can prevent these vulnerabilities with secure coding practices. For example, always sanitize input from search fields and forms by validating that it's the expected content for the field and then encoding it for the "endpoint."

25.2%
Insufficient Input Validation

What it is

Insufficient input validation is potentially dangerous as it can allow threat actors to perform Cross-Site Scripting (XSS), as well as SQL injection attacks.

The Data

Insufficient input validation vulnerabilities occur in about half (48.1%) of applications.

Source: State of Software Security Volume 11

The Fix

In addition to implementing secure coding practices, perform automated static analysis (SAST) and dynamic analysis (DAST) scans. This will help you detect insufficient input validation.

18.1%
Encapsulation

What it is

An encapsulation attack occurs when applications fail to differentiate data or functionality within components. This allows bad code to move from component to component, which threat actors can exploit through unauthorized access to functions and data.

The Data

Encapsulation exists in over 29% of applications.

Source: State of Software Security Volume 11

The Fix

If you find an encapsulation flaw, block access to the affected application, database, or system until you can fully protect it. Also, make sure to back up your data and information so that you can return to business as usual if there is a ransomware attack.

16.2%
API Abuse

What it is

API abuse is an attack where API functionality is exploited through automated attacks. This often results in threat actors taking over accounts, initiating credential stuffing, scraping content, and more.

The Data

API abuse exploits occur in 12.7% of applications.

Source: State of Software Security Volume 11

The Fix

Implement secure coding practices in your developer workflow to get ahead of API abuse. Close gaps in your security by protecting your APIs with robust encryption and monitor API calls for abnormal behavior.

JavaScript

31.5%
Cross-Site Scripting (XSS)

What it is

Cross-Site Scripting (XSS) flaws permit attackers to inject client-side scripts into an application. They lead to a wide attack surface for threat actors to hijack user accounts, spread worms and Trojans, access browser history and clipboard contents, control the browser remotely, and exploit online appliances and applications.

The Data

89.9% of XSS flaws in open source libraries have a fix in a published updated version.

Source: State of Software Security Volume 11

The Fix

You can prevent these vulnerabilities with secure coding practices. For example, always sanitize input from search fields and forms by validating that it's the expected content for the field and then encoding it for the "endpoint."

29.6%
Credentials Management

What it is

A credentials management attack is an exploit that attempts to breach username and password pairs to take control of user accounts. If threat actors are successful, they can steal, alter, or erase data, install malware, gain deeper access to your files and systems, and even initiate transactions.

The Data

Credentials management flaws occur in nearly half (48.3%) of applications.

Source: State of Software Security Volume 11

The Fix

Reduce your risk of an attack by storing encrypted passwords in restricted locations and avoid utilizing hard-coded credentials. For inbound authentication using passwords, we recommend using strong one-way hash functions and storing them in a protected configuration file or database.

28.4%
CRLF Injection
Security Lab Community Edition

Gain real-world practice with vulnerability scenarios in modern web applications by exploiting and patching containerized apps right from your browser.

Sign Up

What it is

CRLF injection is a Carriage Return or Line Feed (CRLF) exploit. When threat actors inject a CRLF sequence into an HTTP stream, it enables them to maliciously manipulate a web application's functions.

The Data

CRLF injection exploits are rampant, appearing in a sizeable 65.4% of applications.

Source: State of Software Security Volume 11

The Fix

Prevent CRLF injection flaws by never trusting user input. Sanitize user-supplied data with proper validation and encoding, and be sure to properly encode output in HTTP headers.

25.7%
Insufficient Input Validation

What it is

Insufficient input validation is potentially dangerous as it can allow threat actors to perform Cross-Site Scripting (XSS) attacks, as well as SQL injection attacks.

The Data

Insufficient input validation vulnerabilities occur in about half (48.1%) of applications.

Source: State of Software Security Volume 11

The Fix

In addition to implementing secure coding practices, perform automated static analysis (SAST) and dynamic analysis (DAST) scans. This will help you detect insufficient input validation.

22.7%
Information Leakage

What it is

Information leakage can take on many forms. At a high level, it's as simple as your application making information or data available to users that shouldn't be available. Threat actors can use leaked information to find and exploit vulnerabilities in your application or simply steal the leaked data.

The Data

Information leakage exists in over 60% of applications.

Source: State of Software Security Volume 11

The Fix

Mitigating information leakage relies on secure coding practices and implementing security testing procedures as you develop code. Doing so will help ensure that you catch flaws or vulnerabilities where sensitive information is exposed.

20.9%
Cryptographic Issues

What it is

Cryptographic flaws include improperly validating certificates, using broken crypto algorithms, employing inadequate encryption strength, and storing sensitive information in cleartext. This flaw can lead to stolen or destroyed data — including your organization's most sensitive information.

The Data

Cryptographic issues are found in nearly two-thirds (63.7%) of applications.

Source: State of Software Security Volume 11

The Fix

Cryptographic vulnerabilities are preventable with secure coding practices. Most major languages inherently support good cryptographic practices, and concerns over incorrect implementation typically arise only on a case-by-case basis.

14.9%
Authentication Issues

What it is

Authentication issues can occur when functions related to authentication are not implemented securely. This can allow threat actors access to passwords, session tokens, and more.

The Data

Authentication issues occur in 8.7% of applications.

Source: State of Software Security Volume 11

The Fix

Utilize secure coding practices and security scans to ensure that your code is free of authentication issues. Implement strong password policies and validate that passwords meet these policies. Finally, whenever possible, implement multi-factor authentication.

11.5%
Directory Traversal

What it is

Directory traversal, also sometimes known as path traversal, is a type of HTTP exploit used by threat actors to gain unauthorized access to restricted directories and files. This vulnerability uses web server software to exploit inadequate security mechanisms and access directories, as well as files stored outside of the web root folder.

The Data

Directory traversal flaws are found in nearly half (47.8%) of applications.

Source: State of Software Security Volume 11

The Fix

An attacker that exploits a directory traversal flaw can compromise the entire web server. To mitigate directory traversals, make sure you follow secure coding practices and validate user input from browsers, use filters to block certain user input, keep your web server software up to date with patches, and run frequent static analysis scans.

7.6%
Code Quality

What it is

Code quality refers to weaknesses in your code that can indicate to threat actors and attackers that the application has not been carefully developed or maintained. While code quality does not directly introduce flaws into your applications, it causes unpredictable app behavior that is easily abused.

The Data

Code quality issues occur in a whopping 60.4% of applications that have a security flaw and is one of the most common types of flaw.

Source: State of Software Security Volume 11

The Fix

Prevent poor code quality by practicing secure coding methodologies, utilizing consistent coding patterns, and automating security testing in your SDLC.

4.0%
Authorization Issues

What it is

Authorization issues occur when authorization controls are not in place, or they're misconfigured or insecure. They can impact a range of layers in an application, including functions at the app layer, server access, and database access.

The Data

Authorization issues occur in 9.4% of applications with vulnerabilities.

Source: State of Software Security Volume 11

The Fix

To prevent authorization issues, implement secure coding practices in your developer workflow and push for consistent security testing. Locate and control access to privileged assets in your applications based on the principles of least priviledge. Ensure all roles in the application are properly configured to access only the neccesary data.

PHP

74.6%
Cross-Site Scripting (XSS)

What it is

Cross-Site Scripting (XSS) flaws permit attackers to inject client-side scripts into the application. They lead to a wide attack surface for threat actors to hijack user accounts, spread worms and Trojans, access browser history and clipboard contents, control the browser remotely, and exploit online appliances and applications.

The Data

Cross-Site Scripting is the most common type of flaw in open source code across almost every language, showing up in 40.1% of libraries written in PHP.

Source: State of Software Security Volume 11

The Fix

You can prevent these vulnerabilities with secure coding practices. For example, always sanitize input from search fields and forms by validating that it's the expected content for the field and then encoding it for the "endpoint."

71.6%
Cryptographic Issues

What it is

Cryptographic flaws include improperly validating certificates, using broken crypto algorithms, employing inadequate encryption strength, and storing sensitive information in cleartext. This flaw can lead to stolen or destroyed data — including your organization's most sensitive information.

The Data

Cryptographic issues are found in nearly two thirds (63.7%) of applications.

Source: State of Software Security Volume 11

The Fix

Cryptographic vulnerabilities are preventable with secure coding practices. Most major languages inherently support good cryptographic practices, and concerns over incorrect implementation typically arise only on a case-by-case basis.

64.6%
Directory Traversal
Security Lab Community Edition

Gain real-world practice with vulnerability scenarios in modern web applications by exploiting and patching containerized apps right from your browser.

Sign Up

What it is

Directory traversal, also sometimes known as path traversal, is a type of HTTP exploit used by threat actors to gain unauthorized access to restricted directories and files. This vulnerability uses web server software to exploit inadequate security mechanisms and access directories, as well as files stored outside of the web root folder.

The Data

Directory traversal flaws are found in nearly half (47.8%) of applications.

Source: State of Software Security Volume 11

The Fix

An attacker that exploits a directory traversal flaw can compromise the entire web server. To mitigate directory traversals, make sure you follow secure coding practices and validate user input from browsers, use filters to block certain user input, keep your web server software up to date with patches, and run frequent static analysis scans.

63.3%
Information Leakage
Security Lab Community Edition

Gain real-world practice with vulnerability scenarios in modern web applications by exploiting and patching containerized apps right from your browser.

Sign Up

What it is

Information leakage can take on many forms. At a high level, it's as simple as your application making information or data available to users that shouldn't be available. Threat actors can exploit leaked information by using the information to find and exploit vulnerabilities in your application or by simply stealing the leaked data.

The Data

The most common flaw type in .NET (62.8%) and PHP (63.3%) applications is information leakage.

Source: State of Software Security Volume 11

The Fix

Mitigating information leakage relies on secure coding practices and implementing security testing procedures as you develop code. Doing so will help ensure that you catch flaws or vulnerabilities where sensitive information is exposed.

61.7%
Untrusted Initialization

What it is

Untrusted initialization flaws are a result of threat actors having control of parameters or system settings through external means. This can lead to interrupted service to customers or cause odd application performance.

The Data

Untrusted Initialization flaws are very common in PHP, showing up in about 60% of applications. However, most other languages do not have this issue.

Source: State of Software Security Volume 11

The Fix

Implement proper secure coding processes and scan your code using static and dynamic analysis testing tools to identify and fix application weaknesses.

48.0%
Code Injection

What it is

Code injection, or failure to control generations of code, occurs when code syntax isn't properly filtered from user-controlled input. This makes it possible for a threat actor to manipulate the code and alter the control flow of the application.

The Data

Code injection is one of the less common flaws, found in 7.9% of applications.

Source: State of Software Security Volume 11

The Fix

Implement proper secure coding processes and scan your code using static and dynamic analysis testing tools to identify and fix application weaknesses.

48.0%
Encapsulation

What it is

An encapsulation attack occurs when applications fail to differentiate data or functionality within components. This allows bad code to move from component to component, which threat actors can exploit through unauthorized access to functions and data.

The Data

Encapsulation exists in over 29% of applications.

Source: State of Software Security Volume 11

The Fix

If you find an encapsulation flaw, block access to the affected application, database, or system until you can fully protect it. Also, make sure to back up your data and information so that you can return to business as usual if there is a ransomware attack.

45.4%
Command or Argument Injection

What it is

A command injection is a class of critical application vulnerabilities that involve dynamically generated content. With command injection attacks, threat actors can execute commands on a host's operating system by exploiting a vulnerable application.

The Data

Command injection exists in just 14.3% of applications.

Source: State of Software Security Volume 11

The Fix

If you notice a command injection attack, cut off access to the application immediately. Follow secure coding practices to prevent manipulation at the source by writing and using code that doesn't allow manipulation and reject unacceptable code that presents a risk.

44.3%
Credentials Management

What it is

A credentials management attack is an exploit that attempts to breach username and password pairs to take control of user accounts. If threat actors are successful, they can steal, alter, or erase data, install malware, gain deeper access to your files and systems, and even initiate transactions.

The Data

Credentials management flaws occur in nearly half (48.3%) of applications.

Source: State of Software Security Volume 11

The Fix

Reduce your risk of an attack by storing encrypted passwords in restricted locations and avoid utilizing hard-coded credentials. For inbound authentication using passwords, we recommend using strong one-way hash functions and storing them in a protected configuration file or database.

40.3%
Code Quality

What it is

Code quality refers to weaknesses in your code that can indicate to threat actors and attackers that the application has not been carefully developed or maintained. While code quality does not directly introduce flaws into your applications, it causes unpredictable app behavior that is easily abused.

The Data

Code quality issues occur in a whopping 60.4% of applications that have a security flaw and is one of the most common types of flaw.

Source: State of Software Security Volume 11

The Fix

Prevent poor code quality by practicing secure coding methodologies, utilizing consistent coding patterns, and automating security testing in your SDLC.

Python

35.0%
Cryptographic Issues

What it is

Cryptographic flaws include improperly validating certificates, using broken crypto algorithms, employing inadequate encryption strength, and storing sensitive information in cleartext. This flaw can lead to stolen or destroyed data — including your organization's most sensitive information.

The Data

Cryptographic issues are found in nearly two-thirds (63.7%) of applications.

Source: State of Software Security Volume 11

The Fix

Cryptographic vulnerabilities are preventable with secure coding practices. Most major languages inherently support good cryptographic practices, and concerns over incorrect implementation typically arise only on a case-by-case basis.

22.2%
Cross-Site Scripting (XSS)

What it is

Cross-Site Scripting (XSS) flaws permit attackers to inject client-side scripts into the application. It leads to a wide attack surface for threat actors to hijack user accounts, spread worms and Trojans, access browser history and clipboard contents, control the browser remotely, and exploit online appliances and applications.

The Data

89.9% of XSS flaws in open source libraries have a fix in a published updated version.

Source: State of Software Security Volume 11

The Fix

You can prevent these vulnerabilities with secure coding practices. For example, always sanitize input from search fields and forms by validating that it's the expected content for the field and then encoding it for the "endpoint."

20.6%
Directory Traversal

What it is

Directory traversal, also sometimes known as path traversal, is a type of HTTP exploit used by threat actors to gain unauthorized access to restricted directories and files. This vulnerability uses web server software to exploit inadequate security mechanisms and access directories, as well as files stored outside of the web root folder.

The Data

Directory traversal flaws are found in nearly half (47.8%) of applications.

Source: State of Software Security Volume 11

The Fix

An attacker that exploits a directory traversal flaw can compromise the entire web server. To mitigate directory traversals, make sure you follow secure coding practices and validate user input from browsers, use filters to block certain user input, keep your web server software up to date with patches, and run frequent static analysis scans.

16.4%
CRLF Injection

What it is

CRLF injection is a Carriage Return or Line Feed (CRLF) exploit. When threat actors inject a CRLF sequence into an HTTP stream, it enables them to maliciously manipulate a web application's functions.

The Data

CRLF injection exploits are rampant, appearing in a sizeable 65.4% of applications.

Source: State of Software Security Volume 11

The Fix

Prevent CRLF injection flaws by never trusting user input. Sanitize user-supplied data with proper validation and encoding, and be sure to properly encode output in HTTP headers.

8.3%
Insufficient Input Validation

What it is

Insufficient input validation is potentially dangerous as it can allow threat actors to perform Cross-Site Scripting (XSS) attacks, as well as SQL injection attacks.

The Data

Insufficient input validation vulnerabilities occur in about half (48.1%) of applications.

Source: State of Software Security Volume 11

The Fix

In addition to implementing secure coding practices, perform automated static analysis (SAST) and dynamic analysis (DAST) scans. This will help you detect insufficient input validation.

8.3%
Information Leakage

What it is

Information leakage can take on many forms. At a high level, it's as simple as your application making information or data available to users that shouldn't be available. Threat actors can use leaked information to find and exploit vulnerabilities in your application or simply steal the leaked data.

The Data

Information leakage exists in over 60% of applications.

Source: State of Software Security Volume 11

The Fix

Mitigating information leakage relies on secure coding practices and implementing security testing procedures as you develop code. Doing so will help ensure that you catch flaws or vulnerabilities where sensitive information is exposed.

8.1%
Server Configuration

What it is

Server configuration issues occur when your web server is misconfigured, which may lead to an attacker obtaining sensitive data, like credentials.

The Data

Server configuration vulnerabilities occur in just 3% of applications with vulnerabilities.

Source: State of Software Security Volume 11

The Fix

To reduce risk from server configuration issues, restrict access to files and either back them up or place them separately from the web root directory. Follow secure coding practices for additional security protection.

7.2%
Credentials Management

What it is

A credentials management attack is an exploit that attempts to breach username and password pairs to take control of user accounts. If threat actors are successful, they can steal, alter, or erase data, install malware, gain deeper access to your files and systems, and even initiate transactions.

The Data

Credentials management flaws occur in nearly half (48.3%) of applications.

Source: State of Software Security Volume 11

The Fix

Reduce your risk of an attack by storing encrypted passwords in restricted locations and avoid utilizing hard-coded credentials. For inbound authentication using passwords, we recommend using strong one-way hash functions and storing them in a protected configuration file or database.

6.9%
Dangerous Functions

What it is

Dangerous functions, specifically in Python, can lead to authentication bypasses and code injection exploits.

The Data

Dangerous functions occur in a mere 1.3% of applications.

Source: State of Software Security Volume 11

The Fix

Implement proper secure coding processes and scan your code using static and dynamic analysis testing tools to identify and fix application weaknesses. Identify API functions that carry risk and either avoid using them or find an alternative safe function.

6.8%
Authorization Issues

What it is

Authorization issues occur when authorization controls are not in place, or they're misconfigured or insecure. They can impact a range of layers in applications, including functions at the app layer, server access, and database access.

The Data

Authorization issues occur in 9.4% of applications with vulnerabilities.

Source: State of Software Security Volume 11

The Fix

To prevent authorization issues, implement secure coding practices in your developer workflow and push for consistent security testing. Locate and control access to privileged assets in your applications based on the principles of least priviledge. Ensure all roles in the application are properly configured to access only the neccesary data.

x

Language

00% FLAW