New Contrast Security Report Finds 96% of Business Applications Contain Vulnerabilities as Attack Volume Grows 60%

Contrast’s 2020 Application Security Observability Report Underscores the Need for Real-time Application Security Remediation to Protect the Business

LOS ALTOS, Calif., July 24, 2020 (GLOBE NEWSWIRE) -- The results of a new study by Contrast Security into business software application security reveal a whopping 96% of applications contain some vulnerability while the number of attacks on some of the top five vulnerabilities surge as much as 179%. Because virtually every organization relies on some piece of critical software to run their business, that means the risk of application-based attack and data breach is growing rapidly, and businesses must act quickly to protect themselves against hackers.

The “2020 Application Security Observability Report” compiled by Contrast Security, the industry’s only provider of instrumentation-based DevOps-Native application security, offers an exclusive look into real-world web application and application programming interface (API) vulnerabilities, library issues, and attacks.

Based on data from Contrast Labs, the report found that not only are attack risks growing, but the time to remediation is also over 17X longer with conventional static application security testing (SAST)1 compared to Contrast’s real-time, continuous self-protecting solution, further widening the threat risk for businesses.

Prevalence, Volume & Remediation Time: A Triple Threat

The high prevalence of software vulnerabilities is major concern with 26% of applications having at least one serious vulnerability and 11% containing six or more. This poses a serious risk to organizations considering that 43% of successful data breaches can be traced back to an application vulnerability.2 Even more worrisome, Contrast Labs found that the top five vulnerabilities saw attacks increase an average of 60% this past year with Command Injection attack volume alone up 179%.

With business applications coming under attack more than 13,000 times a month on average, the risk is amplified by the slow remediation time typical of SAST, which means the longer the door is left open to hackers, the greater the risk it will be exploited.

“Continuous and accurate visibility into both application vulnerabilities and attacks is critical to making smart decisions about digital transformation,” said Jeff Williams, CTO and Co-founder of Contrast Security. “Legacy outside-in scanning and firewalling are simply incompatible with achieving velocity in modern software projects. This report from Contrast Labs confirms that security instrumentation enables dramatically more efficient and effective application security programs. I encourage every organization to use the data and recommendations to focus on their efforts on the vulnerabilities and attacks that matter.”

According to Contrast Labs’ data over the last year, Contrast customers leveraging its embedded sensor-based, detect-and-correct platform see a median time to remediate of just 7 days compared to 121 days for SAST.3 The difference is significant when compared over a period of 90 days.

The gains are even more dramatic when looking at serious vulnerabilities with Contrast customers seeing 25% of serious vulnerabilities remediated in just one day and 75% within 16 days compared to 19 and 292 days, respectively, for SAST. Even worse, the Contrast Labs research shows vulnerabilities that go un-remediated within the first 30 days tend to linger on—79% of all vulnerabilities and 65% of serious vulnerabilities not remediated within 30 days remain more than 90 days, giving hackers ample time to exploit them.

Understand the Threats to Inform the Solution

Effective risk management requires organizations to weigh the prevalence of a vulnerability against the likelihood of an attack and prioritize remediation efforts accordingly. Contrast Labs’ research uncovered key takeaways that can help companies optimize their AppSec strategy:

  • Cross-site Scripting (15%), Broken Access Control (13%), SQL Injection (6%), and XML External Entities (5%) are the top four serious vulnerabilities in terms of application prevalence.
  • SQL Injection (65%), Broken Access Control (62%), Cross-site Scripting (54%), and Command Injection (51%) are the top four attack vectors.

Open-source Solutions Amplify Risks

As developers increasingly turn to open-source frameworks and libraries to accelerate release cycles, these dependencies create additional security and licensing risks. Not only are there are a lot of moving parts in individual applications—an average of 32 open-source libraries in each—but keeping up with the latest releases and their Common Vulnerabilities and Exposures (CVEs) is also a challenge. In fact, for application using open-source frameworks and libraries, Contrast Labs found an average of four CVEs per application, with three of those rated “high” or “critical.”

“Having continuous, accurate visibility into application vulnerabilities and attacks is critical to making smart decisions about digital transformation,” Williams said. “But legacy outside-in scanning and firewalling are simply unable to keep pace with the velocity of modern software projects. This report confirms what we’ve long been saying: Security instrumentation is the only way to achieve the efficient, effective application security required to protect the business. The data and recommendations in this report can help organizations to focus on the vulnerabilities and attacks that matter.”

To download the full Contrast 2020 Application Security Observability Report and gain access to commentary and insights on how Contrast’s platform can help companies lower their application risk, visit site.

About Contrast Security:

Contrast Security is the world's leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast’s patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development, to operations, to production. More information can be found at or by following Contrast on Twitter at @ContrastSec.

For more information:

OutVox for Contrast Security
Tony Keller

1 SAST comparison uses data from “State of Software Security, Volume 9,” Veracode, 2019.
22020 Data Breach Investigations Report,” Verizon, May 2020.
3 SAST comparison uses data from “State of Software Security, Volume 9,” Veracode, 2019.