The 2013 Global Application Security Risk Report

The 2013 Global Application Security Risk Report

Aspect Security has been collecting application security data from our verification efforts, secure coding training programs, and application security program services for over a decade, and sharing it with our clients.

In this report, Aspect reveals the results of extensive application security verification efforts over the past two years. The dataset spans thousands of risks from hundreds of applications, both internal and Internet-facing, across a broad range of organizations, including financial, banking, government, defense, ecommerce, transportation, and more. Organizations should take note of the following important results of our analysis:

  • 98% of applications presented at least one application security risk, while the average application registered 22.4 risks.
  • Authentication and Session Management risks affect 93% of applications and comprise 34% of application vulnerabilities, by far the most prevalent application security risk.
  • Compared to automated tools, manual code review and penetration testing identify significantly more serious authentication, access control, and encryption risks.
  • Secure coding training and eLearning cause a significant improvement in prevalence and severity of the risks discovered in applications.
  • Application security risk profiles are remarkably similar across different industry sectors.

Insights extracted from thousands of application security risks carefully identified, analyzed, scored, and documented for clients with critical application portfolios. Aspect’s verification efforts are primarily manual code review and manual security testing, and our results shine a light on the dangers of relying on highly automated approaches to application security.