This year, we also investigated what web application vulnerabilities can be found reliably through dynamic and out-of-band scannings (“machines”) and which require human expertise to manually identify through black-box penetration testing (“humans”). The report is intended to help security practitioners strategize resource allocation and ascertain value in a results-driven market.
Among the key report takeaways, we observed application security methodologies and tactics are adapting quickly to accommodate DevOps:
More than one-third (37%) of security practitioners stated their companies release code weekly or daily. It’s unsurprising that they are now pentesting more often, with more than half (57%) pentesting at least quarterly.
Misconfiguration leads our top vulnerabilities list for the fourth year in a row, while issues in session management and access control remain consistent issues
Dynamic and out-of-band scanning technologies are improving in scope and quality, requiring pentesters to apply system knowledge to find design-level vulnerabilities that machines will miss
We hope this report helps you think strategically about how you invest your application security budget.