Despite Pen Testing Efforts, Stubborn Vulnerabilities Persist

For those security professionals who work to mitigate enterprise software vulnerabilities, it may often seem like Groundhog Day—patching and mitigating the same types of vulnerabilities over and over again. As a just-released report from crowdsourced penetration testing provider Cobalt found, that sense of déjà vu is not their imagination.

From their database, Cobalt found that the five most common categories of software vulnerabilities have remained the same for four years in a row. And after examining the OWASP Top 10 Vulnerabilities report, classes of vulnerabilities such as cross-site scripting and issues with access control have been common since 2003, if not longer.

Why? Why have enterprises not been able to eliminate certain flaws, or at least make them much less of a problem and much less frequent in their occurrences? There’s no clear single reason, but Cobalt’s report sheds some light.

The State of Penetration Testing 2021

Cobalt’s annual report, The State of Pentesting 2021, is based on a survey of 601 IT security professionals from the United States, Germany, Austria and Switzerland. Respondents all worked for organizations with 500 or more employees and have experience with penetration testing. The firm also evaluated data from 1,602 real-world pen tests.

Despite the recurring nature of software vulnerabilities, 96% of respondents said that they are, in fact, mandated to follow secure development practices. On average, respondents said that they spotted and fixed 54 vulnerabilities in the previous calendar year. However, 60% reported that they witnessed the same flaws they found and fixed resurfacing later.

Part of the reason for the recurrences could be an incomplete review of their applications. While 78% of survey respondents agreed that pen testing is a high priority, on average, they only conduct pen testing on 63% of their overall application portfolio.

The reasons appear to be primarily about economics. It turns out that 86% of respondents reported it is difficult to find or hire people with the penetration testing skillsets and 58% said they believe penetration testing is too expensive. A sizable 42% said their organization simply doesn’t have the budget for penetration testing.

Right behind economics is the inherent difficulty of penetration testing. According to 61% of respondents, penetration testing is difficult to scope and more than half said that it’s very slow to schedule, with only 22% saying they could schedule such a test within days.

Fixing Critical Vulnerabilities Quickly

The good news is that 93% of those surveyed said their organizations can fix critical vulnerabilities in a timely fashion, while the response to low- or medium-ranked vulnerabilities was described as considerably slower. A quarter of respondents said that their low- and medium-risk vulnerabilities take 60 days or longer to address.

While the majority of respondents said that they can collaborate better with their engineering teams, about half of respondents classified the relationship between security and engineering as strong while 18% indicated that the relationship is neutral. A healthy 30% classified their organization’s security and engineering teams as “intertwined.”

There are areas where survey respondents clearly acknowledged that there’s room for improvement, especially when it comes to automation. About 75% of respondents said that their pen testing findings are remediated manually. Half of the respondents said, not surprisingly, that their engineering teams blamed workflow inefficiencies for some of their lackluster responses.