What’s the consensus on the state of web app security, anyway?

All the sessions from Transform 2021 are available on-demand now. Watch now.

Every company is now a software company, a mantra that is arguably more true today than it was 16 months ago due to pandemic-driven digital transformation efforts. But at the same time, this has opened the door to countless hacks, breaches, and cyberattacks.

To make sense of all this, analysts, corporations, and other industry organizations have published countless studies into the current state of software security. A recent Canalys report found that there were more data breaches in 2020 than in the previous 15 years combined, while Synopsys concluded that 84% of codebases contain at least one open source vulnerability. CrowdStrike, meanwhile, released its 2021 Global Threat Report yesterday, noting that 2020 was “perhaps the most active year in memory” for cyberattacks.

While all these various reports shine a light on some of the problems facing software security in 2021, arriving at a meaningful conclusion based on the wealth of data available can be a challenge due to the varying perspectives, methodologies, and inherent biases at play. And that is something that cybersecurity giant F5 and research and data science firm Cyentia Institute strive to tackle with their The State of the State of Application Exploits in Security Incidents report, a multi-source analysis that aggregates findings from multiple prominent industry reports to arrive at a more holistic view of the current state of application security.

The goal, ultimately, is to identify consensus across the research spectrum, while highlighting the inherent challenges of carrying out multi-source analysis for anyone else wishing to produce a similar report in the future.

“So-so” agreement

According to Cyentia Institute, it initially reviewed more than 100 published reports spanning web application attacks and vulnerabilities; general incidents and breaches; and extreme loss cyber events. However, it ultimately only used a subset of those in its eventual analysis, including: Verizon’s Data Breach Investigations Report (DBIR); Trustwave’s 2020 Global Security Report; Veracode’s State of Software Security; Cisco Talos’ Incident Response trends from Winter 2020-21; Crowdstrike’s 2020 Global Threat Report, Cyentia’s own Information Risk Insights Study 20/20 “Extreme Edition” (IRIS Xtreme) among others.

Cyentia’s IRIS Xtreme report analyzed the 100 largest cyber loss events of the past 5 years, which collectively amounted to $18 billion in financial losses and 10 billion records compromised. Web app attacks came in third place in terms of frequency. Verizon’s DBIR, meanwhile, is an annual report spanning tens-of-thousands of security incidents — its 2021 report found nearly 5,000 incidents that would fall under the web application security banner, putting it in second place in terms of frequency.

Comparing and contrasting the exact numbers from security reports reveals some differences for sure, but by combining data and findings in this way helps paint a picture and arrive at what F5 calls a “so-so” agreement.

“All these data sources and statistics range widely in terms of scope, methods, quality, etc., making it a real challenge to synthesize findings across them,” F5 wrote in a post today. “But there’s ‘so-so’ agreement among them that web application security is a really big deal among really big incidents.”

These so-so agreements extend into the specifics of cybersecurity vulnerabilities. Indeed, all the various reports largely came to different conclusions in terms of what the most common types of web application vulnerabilities and attacks were, but according to F5 and Cyentia’s report they saw: “at least ‘so-so’ agreement among them that [SQL] injection attacks and cross-site scripting rank highest.”

Elsewhere, the report found that 56% of the largest incidents in the past five years relate to some sort of web app security issue, which in turn represents 42% of all financial losses for these “extreme loss” cybersecurity events. Moreover, the average time-to-discovery for web application exploit incidents was 254 days, “significantly higher than the 71-day average among other extreme loss events” identified in studies.

And although we probably knew this already based on recent high-profile breaches, state-affiliated actors were responsible for “57% of all reported financial losses for the largest web application incidents” in the past five years.

What’s most clear from all of this is that drawing meaningful consensus from a diverse range of reports that use different methodologies is incredibly difficult to do. All the researchers and report authors “approach their subject matter with different definitions and assumptions,” Cyentia’s conclusion reads. “Some are focused on incidents as the most intelligible level on which to examine security. Some focus on attacker motivation, or on tactics, techniques and procedures (TTPs). Some focus on vulnerability types.”

If nothing else, on a very broad level this serves as a reminder that companies need to protect their web apps, or as Cyentia notes: “Fix your code; patch your systems; double-up your creds; watch your back(door).”

The full The State of the State of Application Exploits in Security Incidents report is available for anyone to peruse now.


VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member