Fourth Annual “The State of Pentesting” Finds Strong Relationship Between Security and Engineering, Accelerating Transition to DevSecOps

San Francisco, June 09, 2020 (GLOBE NEWSWIRE) -- Cobalt.io, the first Pentest as a Service (PtaaS) platform, today released findings from “The State of Pentesting: 2020,” which explores the state of application security. The fourth annual report, which includes insights from a survey of more than 100 practitioners in security, development, operations, and product roles, found that more than three-quarters of respondents (78%) reported a strong relationship between security and engineering, highlighting the transition organizations are making from DevOps to DevSecOps. This year’s report also looks at which web application security vulnerabilities can be found reliably using machines and which require human expertise to manually identify, as well as the most common types of vulnerabilities based on data from more than 1,200 pentests conducted through Cobalt.io’s PtaaS platform. For the fourth consecutive year, the most common type of vulnerability is misconfiguration.

“As DevOps hastens the pace of software release, data and automation are essential to scaling security,” said Caroline Wong, Chief Strategy Officer at Cobalt.io. “With increased demand for pentesting and higher expectations for application security, the relationship between security and engineering hinges on operational efficiency through automation.”

Key findings from the report include:

Application Security Methodologies are Evolving as Software Development Hastens

• More than one-third (37%) of respondents release software on a weekly or a daily cadence.
• 52% indicate that their organization pentests applications at least quarterly, while only 16% pentest annually or bi-annually.
• More than three-quarters (78%) of respondents conduct pentesting to improve their application security posture.
• Organizations pentest many different types of applications, and cloud environments continue to present significant risk, particularly with respect to security misconfiguration. More than half (51%) of survey respondents conduct pentesting on Amazon-based cloud environments alone.
• The majority of respondents (78%) reported a strong relationship between security and engineering as organizations are making the transition from DevOps to DevSecOps and embracing an “everyone is a part of the security team” approach.

Humans and Machines Both Bring Unique Value to the Table Regarding Finding Specific Classes of Vulnerabilities

• Humans “win” at finding business logic bypasses, race conditions, and chained exploits. 
• Although machines broadly “win” at finding most vulnerability types when applied correctly, scanning results should be used as guideposts and analyzed contextually. 
• There are vulnerabilities that neither humans nor machines can independently find. Rather, they must work together to identify these issues. Vulnerability types in this category include: authorization flaws (like insecure direct object reference), out-of-band XML external entity (OOB XXE) , SAML/XXE Injection, DOM-based cross-site scripting, insecure deserialization, remote code exploitation (RCE), session management, file upload bugs, and subdomain takeovers.

Misconfiguration Is the Most Common Type of Vulnerability* for the Fourth Year in a Row

The top 5 types of vulnerabilities include:

1. Misconfiguration
2. Cross-site scripting
3. Authentication and sessions
4. Sensitive data exposure
5. Missing access controls

*Based on more than 1,200 pentests conducted through Cobalt.io’s PtaaS platform.

“As web applications become more complicated and scanners improve efficiency, this report reveals a widespread need for applying security fundamentals to complex problems,” said Vanessa Sauter, Security Strategy Analyst at Cobalt.io. “Whether mitigating security misconfigurations or identifying business logic bypasses, a thorough understanding of system architecture and an ability to think both methodically and creatively proves essential to mitigating the most serious threats to application security. Crafting unique payloads is less important than holistically evaluating the issues that are being propagated in your applications.”

About The State of Pentesting: 2020

The report is written by Caroline Wong, Chief Strategy Officer at Cobalt.io, and Vanessa Sauter, Security Strategy Analyst at Cobalt.io. Findings are based on more than 1,200 pentests conducted through the Cobalt.io platform between January 1, 2019 to December 31, 2019 as well as survey responses from more than 100 practitioners in security, development, operations, and product roles regarding application security, surveyed online between March 17, 2020 and April 14, 2020. To see full findings, view the report here.

About Cobalt.io

Cobalt.io’s Pentest as a Service (PtaaS) platform transforms yesterday’s broken pentest model into a data-driven application security engine. Fueled by a global talent pool of certified pentesters, Cobalt.io’s platform delivers actionable results that empower agile teams to pinpoint, track, and remediate software vulnerabilities. Hundreds of organizations, including the new generation of software companies, now benefit from high-quality pentest findings, faster remediation times, and higher ROI for their pentest budget.

Visit cobalt.io to learn how Cobalt.io is securing apps for companies such as HubSpot, Palo Alto Networks, GoDaddy, Vonage, and Axel Springer, and join us on Twitter and LinkedIn.

Attachment

• State-of-Pentesting-2020-blog-image-4