Application security

Scanning by the numbers: New Invicti report shows more testing means less risk


In a world of relentless cyberattacks, criminals are steadfast in their pursuit of critical money-making data. When buttoning up their web applications and APIs, organizations have to be just as resolute to avoid falling prey to these attacks – and that starts with eliminating and preventing vulnerabilities. The solution here is relentless, accurate, and fully automated security testing. At Invicti, we’ve been repeating that mantra for years, and this time we have the numbers to prove its effectiveness.

The proof comes with the Invicti AppSec Indicator for Spring 2023, where we uncovered just how impactful an increase in security scanning can be for Invicti customers. The data shows that more frequent scanning combined with expanding test coverage translates to reductions in risk, as customers go beyond covering only their business-critical applications to run checks across their entire attack surface. Digging deeper, we also identified some eyebrow-raising trends for vulnerabilities like cross-site scripting (XSS) and remote code execution (RCE) – and a notable jump in scanning cadences in one particular industry. 

Scanning frequency up 50% since 2019

When we compared data spanning from 2019 to 2022, it became clear that Invicti customers are scanning more than ever before, running an average of 73 scans per month. That’s up from about 49 scans per month in 2019. The trend is even more pronounced when we break it down between enterprise customers and small to medium businesses (SMBs), with a 41% increase in scans for enterprises and an even greater 83% jump for SMBs. 

One of the most positive sub-trends we saw related to the increase in scanning frequency is that Invicti customers are now finding fewer severe vulnerabilities per scan. Even as the total number of critical and high-severity vulnerabilities increases yearly, the average percentage of severe flaws discovered per scan decreased by 19% from 2021 to 2022. This points to an overall maturing of application security (AppSec) programs that integrate dynamic application security testing (DAST) throughout the software development lifecycle, helping to reduce risk overall. 

Severe vulnerabilities slightly decreasing in prevalence

When we surveyed a handful of the core vulnerabilities that we monitor year over year, some alarming trends emerged for three of the big ones. We were encouraged to see that prevalence of XSS decreased by 12% from 2021 to 2022 but alarmed by a 40% increase for RCE and a 91% jump for SQL injection. However, there was overall a lower percentage of severe vulnerabilities, indicating that customers are increasing the adoption of DAST and improving the efficacy of their security programs. 

The spike we saw in critical and high vulnerabilities in the last quarter of 2021 through the first quarter of 2022 likely corresponds to an increase in scanning as organizations hunted for Log4Shell in all of their assets. This is a positive trend, as it indicates maturity in the AppSec programs our customers run daily – they were able to pivot and scan their applications quickly once they were alerted about potential security issues with the Log4j library, then they shifted back to business as usual.

Manufacturing steals the show as scan frequencies rise in several industries

With the increase in scanning cadences enabling organizations to find and fix more high-severity and critical vulnerabilities than ever before, we also spotted some promising trends in specific industries. Consumer, Healthcare, and Technology all saw significant increases in scans from 2021 to 2022, which points to more mature security programs as new data privacy and security regulations take hold across the globe. 

The real standout, though, was Manufacturing, which outpaced all other industries threefold in terms of scanning frequency. While research shows that Manufacturing organizations typically spend less of their IT budget on cybersecurity compared to other sectors, we know that many Invicti customers in Manufacturing have mature security programs. The jump in scan frequencies correlates directly with pandemic-driven technological shifts, indicating efforts to secure an industry that is becoming more digitized and connected. Data from Akamai’s latest State of the Internet report confirms this focus, showing that median attacks on the manufacturing industry grew by 76% in 2022 as a result of Internet of Things (IoT) connections and an increase in data collection by the industry. 

Reading data stories

Working on our data-driven spring AppSec Indicator reports is not just about finding meaningful numbers but also about uncovering stories in the data. This year, we’re seeing tales of reactions to global security crises interwoven with more gradual shifts in how our customers are testing and securing their web environments. 

And the moral of the story? As organizations increase scanning frequencies, expand their testing coverage, and adopt security strategies that embed automation and accuracy in their very DNA, they become more secure in the long run. With countless web apps being built every day at breakneck speed, taking a proactive approach that covers every corner of your attack surface is the only reliable way to maintain application security while building a successful digital future.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.