Organizations are reporting a strong relationship between security and engineering, with more than three-quarters of respondents (78%) to a new report highlighting a transition from DevOps to DevSecOps, according to the pentest as a service platform provider Cobalt.io.
The fourth annual State of Pentesting: 2020 report, which explores the state of application security, includes insights from a survey of more than 100 practitioners in security, development, operations, and product roles. Penetration or pentesting is commonly used to augment a web application firewall.
“As web applications become more complicated and scanners improve efficiency, this report reveals a widespread need for applying security fundamentals to complex problems,” said Vanessa Sauter, security strategy analyst at Cobalt.io, in a statement.
This year’s report also examined which web application security vulnerabilities can be found reliably using machines and which require human expertise to manually identify. It also looked at the most common types of vulnerabilities based on data from more than 1,200 pentests conducted through Cobalt.io’s PtaaS platform.
For the fourth consecutive year, the most common type of vulnerability is misconfiguration, according to the report. The rest of the top five types of vulnerabilities were cross-site scripting; authentication and sessions; sensitive data exposure; and missing access controls.
Application security methodologies are evolving
The survey also found that:
· more than one-third (37%) of respondents release software on a weekly or a daily cadence
· 52% indicate that their organization pentests applications at least quarterly, while only 16% pentest annually or bi-annually
· More than three-quarters (78%) of respondents conduct pentesting to improve their application security posture
· Organizations pentest many different types of applications, and cloud environments continue to present significant risk, particularly with respect to security misconfiguration. More than half (51%) of survey respondents conduct pentesting on Amazon-based cloud environments alone.
· The majority of respondents (78%) reported a strong relationship between security and engineering as organizations are making the transition from DevOps to DevSecOps and embracing an “everyone is a part of the security team” approach.
“As DevOps hastens the pace of software release, data and automation are essential to scaling security,” said Caroline Wong, chief strategy officer at Cobalt.io, in a statement. “With increased demand for pentesting and higher expectations for application security, the relationship between security and engineering hinges on operational efficiency through automation.”
The study also found that both humans and machines bring value when it comes to finding specific classes of vulnerabilities. Humans “win” at finding business logic bypasses, race conditions, and chained exploits, according to the report.
SEE: How to protect your organization against Business Email Compromise attacks (TechRepublic)
Although machines broadly “win” at finding most vulnerability types when applied correctly, scanning results should be used as guideposts and analyzed contextually, the report said.
Also, there are vulnerabilities that neither humans nor machines can independently find so they should work together to identify these issues, Cobalt.io advised.
Vulnerability types in this category include:
· authorization flaws (like insecure direct object reference)
· out-of-band XML external entity (OOB XXE)
· SAML/XXE injection
· DOM-based cross-site scripting
· insecure deserialization
· remote code exploitation (RCE)
· session management
· file upload bugs
· subdomain takeovers
“Whether mitigating security misconfigurations or identifying business logic bypasses, a thorough understanding of system architecture and an ability to think both methodically and creatively proves essential to mitigating the most serious threats to application security,” Sauter stated.
Crafting unique payloads is less important than holistically evaluating the issues that are being propagated in an organization’s applications, Sauter added.
The findings were based on more than 1,200 pentests conducted through the Cobalt.io platform between Jan. 1, 2019 to Dec. 31, 2019 as well as survey responses from more than 100 practitioners in security, development, operations, and product roles regarding application security.