The 2019 State of Pentesting: Cobalt.io Shares Critical Lessons from 1400+ Pentests

Share Article

Data from over 1400 pentests helps breakdown security vulnerability categories and highlights companies’ desire to incorporate DevSecOps

Modern software development approaches like agile and DevSecOps are all about 1) frequent releases with 2) ever evolving features. This rate of development makes it critical for manual security testing to keep pace with releases.

Security thought leaders Caroline Wong and Joe Sechman released a new report this week, The State of Pentesting. Data for this report was gathered from over 150 survey respondents as well as 1400+ pentests performed over the past three years on Cobalt.io’s Pentest as a Service platform.

From this research, Wong and Sechman noticed two key takeaways that are illustrated in this report. First, security misconfiguration continues to be the top vulnerability category, now for the third year in a row. The report shows real-world data on the specific types of security misconfiguration mistakes organizations are making to inadvertently expose their data.

They found that 30.1% of security misconfigurations were in security headers; 28.5% in application settings; 12.7% in encryption settings; 11.5% in server configuration; 9.6% in mobile settings; 4.9% in cloud settings; and 2.9% due to an improper security control. But the highest-risk mistakes, according to this report, are server configuration and application settings.

The other main takeaway is that while most organizations want to conduct more appsec pentesting, costs have historically been prohibitively high. Companies want to pentest at pace with development but half of the organizations say it's too expensive to perform tests on a more regular basis.

“Right now, application security practitioners are trying to figure out how to integrate DevSecOps with the SDLC. Modern software development approaches like agile and DevSecOps are all about 1) frequent releases with 2) ever evolving features. This rate of development makes it critical for manual security testing to keep pace with releases.” - Caroline Wong, Chief Security Strategist at Cobalt.io

Organizations care about security and they want to keep up with product and development but in order for that to happen they need a more agile approach.

Read the full report here: https://resource.cobalt.io/the-state-of-pentesting-2019

About the authors of this report:

Both Wong and Sechman come from extensive security backgrounds. Wong’s practical information security knowledge stems from her experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga. She has authored several pieces around security metrics and application security. Sechman’s diverse technical background spans web development, systems administration, advanced attack and penetration testing, and enterprise software security research disciplines. Over his career, Sechman has executed hundreds of pentests, authored several publications, contributed to 9 intellectual property disclosures, and is co-inventor of an automated approach to comprehensively discover the attack surface of an application under test.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Julie Kuhrt
Cobalt.io
+1 415-651-7028
Email >
@cobalt_io
Follow >
Visit website