To produce the annual “Application Vulnerability Snapshot” report, Synopsys Cybersecurity Research  Center (CyRC) researchers examine anonymized data from commercial software systems and  applications tested by Synopsys Application Security Testing (AST) services. This year’s report  includes data from 4,398 tests conducted in 2021 on 2,711 targets (i.e., software or systems). 

Almost all the tests (95%) were intrusive “black box” and “gray box” tests, including penetration (pen)  tests, dynamic application security testing (DAST), and mobile application security testing (MAST)  analyses.

Black box testing approaches the target’s security state from an outsider’s perspective, whereas gray  box testing simulates an authenticated user with credentials—essentially extending black box testing  with deeper insights. The Synopsys AST services tests probe running applications as a real-world  attacker would, with the goal of identifying vulnerabilities that could then be triaged and remediated  as necessary.

The targets tested were largely web (82%) and mobile (13%) applications, with the remaining 5%  either source code or network systems/applications tests. The industries represented included  software and internet (32%), financial services (26%), business services (18%), manufacturing (7%),  consumer services (7%), and healthcare (6%). The remaining 4% of test targets represented travel  and leisure, education, energy and utilities, and other verticals.