The State of Penetration Testing as a Service
1. Report methodology and scope
2. Top findings and observations
2.1 1 in 3 Penetration tests have at least 1 critical vulnerability
2.2 Findings of SQL Injections (SQLi) increased by 250% compared to last year
2.3 Cross site scripting (XSS) is the most common vulnerability
2.4 Companies in the media industry accounted for 39% of all critical vulnerabilities, making it the most vulnerable industry by far
2.5 In the last year, Software Secured found an average of 31.8 vulnerabilities per client, with medium size companies finding 39 vulnerabilities on average
2.6 DNS Misconfiguration has led to Email Spoofing being in the top 3 most popular attacks over the last 2 years
2.7 Denial of Service (DoS) Attacks Increased by 133% compared to last year
3. Top trends in 2023
3.1 Penetration testing is going mainstream
3.2 More frequent penetration testing is on the rise
3.3 Companies need a get a grip on the average time to fix vulnerabilities
At Software Secured, we empower software development teams to design, implement and deploy secure software applications. Software Secured has been working closely with software developers for a decade and has developed a few time-tested techniques on how to get busy developers to write secure code.
Software Secured protects and secures fast-growing organizations from costly cybersecurity breaches by providing expert-level penetration testing services. It’s called Penetration Testing as a Service (PTaaS), and it’s changing the way DevOps manages security. We offer testing services that are thorough and tailored to your organization to enhance and strengthen your security posture. Since founding in 2010, we've continued to collect and build valuable insights from our work to help optimize our testing and continue providing a high-quality of service to our customers. This report aims to demonstrate the state of full-stack security based on insights from our penetration tests performed by our team in 2021 and 2022.
- 1 -
The State of Penetration Testing as a Service Report is based on the data collected from penetration tests performed between October 2020 and September 2022. The data has been sanitized to remove all identifiable information and used in an aggregated manner for analysis to share the insights with the broader cybersecurity industry. This report is designed for professionals leading security programs in their organization, such as Chief Information Security Officers (CISOs), Chief Technology Officers (CTOs), Security Directors, Security Analysts, and independent consultants. The findings in this report will help these security leaders understand the risk present for modern applications and systems, as well as guide decision making for their own security programs.
This report contains data points from companies of varying sizes, including startups, small, medium, large, and enterprise-level companies. As you read through the report, you will find trends in security maturity and risk dependent on a company's size. Within our report, we define each business size in the following way:
Note that we may reference small-to-medium sized companies (SMBs) throughout this report, which accounts for companies in both the "small" and "medium" size range listed above.
Additionally, many industries are represented in this report, including: Security, Media, Health Care, Finance, Workforce Management, Asset Management, Communication/News, Data/Analytics, Personal Online Services and Education (Figure 1) .
Figure 1: Penetration testing client industry percentage
- 2 -
Security and risk management leaders must address and monitor top trends and evolving insights to protect the ever-expanding digital footprint of modern organizations against new and emerging threats in 2023 and beyond.
Across all tests in the last two years, 1 in 3 penetration tests identified at least 1 critical vulnerability. 20% of all found vulnerabilities were critical or high severity and 43% of all found vulnerabilities were medium severity.Software Secured follows a combination of CVSS and DREAD scoring system to rank the security rating of vulnerabilities. We do so by using CVSS v3.1 to calculate impact and an implementation of DREAD to calculate its risk. For the full Software Secured scoring breakdown, see Appendix A.
Last year, Software Secured saw a big surge in SQL injection vulnerabilities. According to our data, we found 2.5X more SQL injections (SQLi) in 2022 compared to the year prior.
This increase was a big surprise to us. Over the last 5 years, we have normally seen a decline in the number of SQLi for several reasons. First, SQLi is a very well known and understood vulnerability by developers, and there has been a large push to resolve and mitigate the possibility of these attacks. Additionally, modern tech stacks are built to defend against SQLi by default. Third, vulnerability scanners are getting good at finding low-hanging SQLi due to this increased awareness and available information on this type of attack.
Why is this happening?
There are various assumptions to be drawn from the large increase in SQLi this year. In the last couple of years, there has been a record amount of new companies, each trying to scale quickly in an effort to capitalize on the digital transformation wave sparked by the COVID-19 pandemic. As these companies are racing against time to ship out their software, some of the security fundamentals such as SQLi have fallen to the wayside. In their latest version, OWASP Top 10 dropped SQLi to third place (as a top vulnerability), after being in first since the early 2000s. This might have led development teams to relax and lower their guards in regards to SQLi. These statistics show that regardless of notoriety, it is crucial to not forget about attacks like SQLi even though there are default protections. More often than not, these protections can be switched off or not followed properly by engineers opening the door again to SQLi attacks.
Cross-site Scripting (XSS) continues to be the most common vulnerability. Although, there are more general awareness against XSS in the development community, and although there are more default protection in more modern tech stacks, we continue to see the rise of XSS.
What are XSS attacks?
XSS attacks occur when the attacker enters a malicious script as input data. The script is eventually interpreted as HTML markup and runs on a victim’s browser. With their script running on the victim’s browser, the attacker is able to control the browser and perform other actions in the context of that user, also bypassing numerous security controls like the same-origin policy.
How do I prevent it?
XSS attacks are hard to prevent because there are various vectors where an XSS attack can be used in web applications. Additionally, other vulnerabilities such as SQL injection can be completely eliminated by using a global solution across the board like ORMs (Object–relational mapping). Cross-site scripting or XSS prevention typically requires specific output encoding wherever the untrusted data is being written back to the browser, which could be in hundreds of places in the applications.
Software Secured found that each application in any industry had 0.9 critical vulnerabilities per client application in a year, whereas media companies found 3.75 critical vulnerabilities per year, which is almost 4 times the average of other industries. More frequent penetration testing done through Penetration Testing as a Service will help identify more critical vulnerabilities throughout the year.
Why are media companies so behind on security, and what makes the media industry so vulnerable to cyber attacks?
The media industry is considered highly fragmented, with a large number of established and new players that are also highly dependent on a large number of extended partnerships, according to researchers.
“In order to securely create and distribute content, the media industry relies on a large number of vendors and partners,” Joel Molinoff, Vice Chairman, Strategic Development Group at BlueVoyant, said via email. “Those vendors comprise an extended attack surface for media companies.”
Customer experience in highly competitive industries such as media has resulted in rapid consumer adoption of streaming services, online gaming, and virtual reality (VR). These services are heavily dependent on cloud-based services, Internet of Things (IoT) devices, mobile networks, as well as payment processing that holds valuable personally identifiable information (PII) for customers. Because of this, the attack surface is large which makes it even more difficult for media companies to thoroughly protect their databases.
It is critical for the media industry to put security at the forefront of their application development. Tools that protect the cloud environment must seamlessly connect the whole infrastructure. Integration points with other services or features consuming rich or dynamic content should also be more heavily scrutinized or configurations checked for security weaknesses. Organizations in the industry must verify and vet vendors and third party libraries frequently, invest in training for their developers and do frequent penetration tests to ensure customer’s data is secure.
Figure 2: Number of vulnerabilities found, on average, per client of each size.
Across our client portfolio, Software Secured found an average of 31.8 vulnerabilities per client. Within this, large-size companies presented to have the most vulnerabilities with an average of 45.5 vulnerabilities per client. Following, medium and startup-size companies had an average of 39 and 33.75 findings, respectively.
Midsize companies are significantly more likely to be hit by a data breach or other incidents now than in 2019. One key reason for this shift is the pandemic and new work from home (WFH) adoptions. In reaction, more cybercriminals have stretched their repertoire to include:
Startups who lack financial investment can also be at a larger risk of attack. In the early stages of business growth, companies who fail to prioritize security alongside revenue and product development may find themselves more vulnerable (more so even than an enterprise with a massive attack surface!)
SMB's are more vulnerable compared to large corporations. Cybercriminals tend to target SMB's as they typically have reduced resources for protection. A vast number of our clients are startups, and many have their first penetration test with Software Secured. Smaller companies inherently prioritize the delivery of small features, at the expense of security. There is also the issue of a reduced number of security and non-security employees, or delegating IT tasks to employees without proper training or awareness, leading to a more vulnerable security posture.
The security industry also has a tendency to focus on selling to the enterprise market with expensive and expansive products, thus sometimes neglecting the needs of mid-market companies.
As such, midsize companies are vulnerable because many lack the required security teams, access to expertise, or the security tools needed to defend themselves. As a result, many such businesses are unable to properly safeguard the company.
In the last 2 years, Domain Name System (DNS) misconfigurations have been in the top 3 most popular attacks (although, this has been a trend for longer than a year). DNS misconfigurations often lead to an increase in email spoofing attacks. The past 2 years have seen a significant increase in email phishing due to various factors, the main one being the sheer number of people working from home because of the COVID-19 pandemic. Throughout the past year during the pandemic, attackers have increasingly targeted the cloud, profiting from the reliance on off-premise working and cloud infrastructures.
DNS remains a prime target for hackers, as it enables them to gain entry into networks and access data for exfiltration. Organizations have suffered more diverse types of attacks than ever before, showing that cybercriminals are using all the tools at their disposal to exploit both the DNS protocol and misconfigurations.
At its core, an email spoofing attack is enabled by the lack of proper configuration of a DMARC policy on a company or services domain record. Thus, security teams need to harden their infrastructure including their email servers.
A denial of service (DoS) attack is an attack meant to slow down, cripple or completely render a server or an application inaccessible.
DoS attacks accomplish this by flooding the target with traffic and information that triggers a crash which slowly exhausts the target of resources, such as the slowloris attack. The ease with which DoS attacks can be coordinated has meant that they have become one of the most pervasive cybersecurity threats that modern organizations have to face. DoS attacks are simple but effective and can bring about devastating damage to the companies or individuals they are aimed at. With one attack, an organization can be put out of action for days or even weeks.
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
Multi-vector attacks are getting more diverse. DoS andDDoS attacks have become more effective during the past year as organizations are more reliant on online services. The surge in application modernization and cloud migration has grown significantly. Disruption to services that people are relying on in both their professional and personal lives has the potential to have a significant impact. Not to mention, these attacks are becoming increasingly more complex and quick. They leave much less time for current DoS and DDoS mitigation systems to react. Many DoS/DDoS attacks manage to penetrate the best mitigation solutions. At Software Secured, our focus on DoS stems from a coding flaw that allows DoS to occur, this is a less known attack vertical to developers, hence the increase in the number of occurrences within applications.
- 3 -
As we enter 2023, it is crucial to monitor and keep up to date with upcoming trends, so your organization can stay ahead of the trends and go into the new year with security being top of mind. The ever-expanding digital landscape continues to shift, and drives this year’s top cybersecurity trends. The continuous increase of hybrid work and digital business processes in the cloud have introduced new risks and cyber criminals continue to adopt newer, faster and more sophisticated attacks. Based on the trends seen in previous years, paired with new developments and intelligence within the space, Software Secured has gathered top trends to watch for in 2023.
Cybersecurity has not always been a priority – but current events have made it an urgent one. Companies of all sizes and maturity levels are falling victim to cyber attacks and data breaches. Large enterprises are experiencing breaches that compromise the personal information of millions of individuals, while SMB's are being targeted as entry points to infiltrate supply chains and gain access to larger organizations. This has made third parties an increased threat to cyber risk.
National Institute of Standards and Technology (NIST) Cyber Security Framework, along with other compliance certifications (ISO, SOC etc.) are becoming the approach for the private sector to use to advance their cyber risk management practices. Cybersecurity risks usually extend to all business units, operational units, employees and key third parties. Business-to-business (B2B) companies can now no longer conduct sales without compliance such as SOC 2, ISO 27001, HIPAA, and PCI. Penetration testing is crucial to earning these compliance certificates and reports.
Alongside growth in compliance demands, there is now generally more market awareness when it comes to penetration testing, which is becoming more of a necessity across the board. There has been a large increase in shifting the security mindset to be more of a business decision than a security or risk decision. This means more C-suite executives are becoming more concerned and involved in organizational security matters.
On top of compliance and market awareness, enterprise customers are streamlining their security questionnaire. This is a large factor in penetration testing becoming more mainstream, and as enterprises continue to update their security questionnaire to become more in-depth and certificate-driven.
In the agile framework, with stricter timelines and bigger pushes for faster features, there is often not as much time to complete adequate security testing, which can cost developers much more than they may realize. More often than not, developers are under tight deadlines with little place for adequate security testing. Larger companies often integrate automated tools for baseline security testing in the pipeline, but smaller teams see a lot of overhead in doing that due to false positives. Thus, smaller teams skip on security.
Many teams see penetration testing as a way to continuously test their software without the overhead of automated tools. By opting for quarterly penetration testing with access to ongoing re-testing of patched vulnerabilities, teams can speed up the feedback loop between security and development teams. To gain even more speed, development teams need security products and services to be integrated into their development toolset such as Jira, GitHub, etc.
Another reason why more frequent testing is on the rise, is that software supply chain security is a major risk for the modern enterprise, and they are forcing their ISV vendors to do more frequent penetration testing is a way for the enterprise to combat that risk. By ensuring that their vendors are tested frequently, there is less room for cyber attacks to occur, if vulnerabilities from vendors are found and remediated faster.
There are various security risks for companies, but the biggest risk is the long remediation time from when vulnerabilities are discovered to when they are resolved. Most companies sit for several weeks to several months to resolve open vulnerabilities, which leaves ample room for cyber attacks to exploit those exact vulnerabilities.
On average, it takes 8 days for a vulnerability to be weaponized after it is found by a hacker. It takes the average development team around 90 days to patch these issues.
In the case of Log4J, the vulnerability was weaponized almost immediately with several variations after each patch. In 2021, Log4J had massive, immediate impacts on companies off all sizes around the world.
Attackers are becoming more advanced and are shortening the time needed to exploit vulnerabilities, and this continues to get faster every day. This trend is something that has already been noticed in 2022, and will only continue to grow in 2023.
This provides a good reasoning to continue to re-evaluate your service level agreement (SLA) policies and timelines. SLA’s should be custom to your organization, and reflect the amount of sensitive data that could be exposed in a cyber attack. If your application(s) collects sensitive or confidential data, there should be an evaluation to see what timelines are both realistic and suitable for your team. In some organizations, the SLAs are purely driven by clients contracts or compliance mandates. The standard SLA timelines will not fit everyone, and it is crucial to set SLA’s based on your particular situation. In Software Secured's own Vulnerability Management Portal, there is a feature to customize your SLAs based on each project's unique requirements.
The State of Penetration Testing as a Service Report aims to provide visibility so that everyone can understand the bigger picture of the penetration testing and application security landscape. Companies will continue to innovate, and push code faster which will require secuirty testing to grow at a similar pace. In 2023, security will continue to grow and become an integral part of application development. As the cyber landscape continues to grow, there needs to be more focus on security testing in general as security is becoming less of an IT risk and more of a business risk.
Software Secured is a Penetration Testing as a Service (PTaaS) solution. We help our clients continuously ship secure code through frequent and comprehensive pentesting, often packaged with consulting hours and secure code training. Software Secured continues to reflect our findings with new measures, practices and innovations to keep up with today’s cyber threats, in order to ensure a strong security posture for all of our clients.