Modern application development is near-impossible without open source libraries, yet this imported code represents functionality that developers did not author but must now manage. By analyzing over 85,000 applications, this report reveals that 71% of software contains a flaw in an open source library upon its initial scan. This “hidden dependency debt” creates an attack…
Vulnerability management is often asset-influenced, yet most research focuses purely on the vulnerabilities themselves. This fifth volume of the series shifts the focus to common asset platforms to help teams stay on target. By analyzing over 9 million active assets across nearly 450 organizations, we examine how the specific technical architecture of an environment dictates…
In the modern digital economy, a cybersecurity incident at a single organization rarely stays contained; it spawns “ripple events” that propagate through the supply chain. This report analyzes over 800 multi-party cyber incidents to understand how security failures at one firm generate downstream losses for thousands of others. We move past causal third-party research to…
Marking a decade of research, SOSS Volume 10 provides a unique “Then vs. Now” comparison of the application security landscape. While awareness has grown leaps and bounds, the core problem identified 10 years ago remains: most software is still very insecure. This milestone report focuses on the emerging crisis of “security debt”—the accumulation of aging,…
The cybersecurity industry has long struggled with a flood of vulnerabilities that outpaces remediation capacity, leaving defenders to rely on subjective severity scores or incomplete data. This research introduces the Exploit Prediction Scoring System (EPSS), the first open, data-driven framework designed to estimate the probability that a software vulnerability will be exploited in the wild…
Friction, confusion, and underperformance are the natural state of any organization, yet nowhere are these forces more dangerous than in modern Security Operations (SecOps). A recent study found that a mere 5% of programs operate at target levels of capability, highlighting a massive gap between industry goals and operational reality. This report examines the road…
What enabling factors allow some vulnerability management programs to achieve higher levels of success than others? This fourth volume represents an analytical first by combining “hard” observational data with “soft” survey results from 100 organizations. We test whether internal program factors—like budget, maturity, and team structure—actually correlate with measurable improvements in remediation performance. The research…
The Domain Name System (DNS) is a critical component of the Internet, yet it is rarely utilized as a primary security control. This research quantifies the loss avoidance attributable to “protective DNS” (PDNS), or DNS firewalls—a service that processes requests normally but prevents translation for malicious domains. By analyzing five years of breach data, the…
“Are we safer on-prem or in the cloud?” is an evergreen question that has become more critical as cloud workloads surpass 25% of enterprise totals. This study analyzes 18,000 organizations and five million hosts to provide a definitive data-driven perspective on cloud risk. While the cloud offers immense benefits, the research highlights that these advantages…
Digital Transformation has fundamentally changed organizational dependence upon the internet and interconnected 3rd/4th parties. This report maps and measures the resulting “internet risk surface”—anywhere a firm’s assets, data, or regulatory obligations are observable from the web. By analyzing a dataset spanning thousands of firms, we reveal that an organization’s true attack surface is much larger…