3 min read time

2019 AppSec Risk Report Key Takeaways

by   in Cybersecurity

The core of Fortify and its mission is around enabling organizations to deliver secure software. Research is at the heart of that core goal. In order to achieve this, the Software Security Research team focuses on: 

Superior Detection

Enabling the Fortify suite of tools with accurate detection of the most severe vulnerabilities across the widest footprint of languages, frameworks, and systems.

Accelerating Remediation

Arming developers with actionable guidance and clear, context sensitive remediation advice that allows them to efficiently neutralize security issues in their applications.

Tip of the Spear

Leading the software security industry with world-class research that builds upon existing work while exploring new vulnerability frontiers.

When it comes to data to research each year for the AppSec Risk Report, Fortify has a massive insight advantage with Fortify on Demand (FoD). 

Fortify on Demand (FoD) platform utilizes the data from 11,000 web applications and 700 mobile applications collected over the course of a year (October 31, 2017 and October 31, 2018) and then anonymized and sanitized vulnerability data.

Application Security Risk Report Insight.png

The Application Security Risk Report for this year is once again loaded with valuable insight and metrics that you don’t want to miss. In the meantime though, here are some of the key takeaways to hold you over until you can crack open a beer or two and dive into the report yourself.

As a fraction of the population, criticality is on the decline:

  • High-severity issues are at the lowest level in four years at 26% (compared to 31% in 2017 and 40% in 2016)
  • Medium-severity increased to 59%, (compared to 48% in 2009)
  • Low-severity vulnerabilities increased to 15% in 2018 (compared to 5% in 2009)

Application Security Risk Report Score.png

Different weaknesses reach new peaks in different years

  • Code execution (2018)
  • XSS (2018)
  • Bypass (2018)
  • CSRF (2018)
  • DDoS (2017)
  • Overflow (2017)
  • Directory Traversal (2017)
  • Memory Corruption (2015)
  • Gain information (2014)
  • SQL Injection (2008)
  • File inclusion (2006)

Application Security Risk Report Top Vendors.png

Severe weaknesses prevalent in majority of applications

50-60% of applications consistently suffer from Input Validation and Representation flaws

Application Security Risk Report Vulnerability.png

Severe weaknesses prevalent in majority of applications

4 out of 5 tested applications had at least one critical or high severity issue.

Application Security Risk Report Severity.png

 Industry standards and legislation provide incomplete security coverage

Specific standards may not provide complete coverage of weaknesses. Sixty-one percent of applications had at least one Critical and High Issue NOT covered by OWASP Top 10.

Application Security Risk Report Issues not covered.png

Compliance blind spots increase: Issues not covered regulatory mapping were up year over year (YOY).

Critical and High Issues NOT covered by OWASP Top 10 were up 12% YOY.

Application Security Risk Report Tested Apps.png

 Open source blind spots increased

Among the top movers in applications with vulnerabilities mapped to the OWASP TOP 10:

A9 Using Components with Known Vulnerabilities had a significant 16% increase.

Application Security Risk Report OWASP Mappings.png


Critical vulnerabilities up 22% YOY in referenced components

87% of the applications inherit a critical severity vulnerability from referenced components—up by 22% since 2017.

Application Security Risk Report Map.PNG

This is part of a blog series pulling out some of the insights from The 2019 Application Security Risk Report. Part one highlighted the 2019 AppSec Risk Report Key Takeaways and part two discussed publicly-disclosed security issues reaching the highest level ever recorded. Part three pointed out that research shows that severe weaknesses are prevalent in a majority of applications. Part four discusses how the research shows reliance on open source components can be risky. Check out the blogs and the report and share your feedback below.


About Micro Focus Fortify.

Fortify offers end-to-end application security solutions with the flexibility of testing on-premises and on-demand to cover the entire software development lifecycle. Complete software security assurance with Fortify on Demand -our application security as a service - integrates static, dynamic and mobile AppSec testing with continuous monitoring for web apps in production.


Application security