Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.
Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.

The State of Pentesting 2023: How Operational Changes Can Jeopardize Security

The 2023 report taps into data from over 3,100 pentests we did in 2022, and 1,000 responses from security teams in the US, the UK, and Germany.

As we near our 10,000th pentest, today we are proud to publish the fifth edition of our annual research report The State of Pentesting.  

The 2023 report taps into data from over 3,100 pentests we did in 2022, and 1,000 responses from security teams in the US, the UK, and Germany. The results reveal the most prevalent vulnerabilities from 2022 and answer questions like…

  • What did our pentester community find most often in web apps, APIs, networks, and cloud configurations?
  • Which were the highest severity vulnerabilities? And which low-risk issues could chain into larger exploits?
  • How have economic disruptions like reductions in workforce and budgets affected enterprises’ security?
  • What can security teams do to achieve more results with fewer resources?

Let’s dive into the results. 

Which are the most common security issues? 

In 2022, we discovered more than 16,000 findings. The 5 most prevalent issues across all assets include: 

  1. Stored Cross-Site Scripting 
  2. Outdated Software Versions
  3. Insecure Direct Object References (IDOR)
  4. Lack of Security Headers
  5. Insecure Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Protocols

It’s worth noting that two of the three most repetitive flaws — Stored Cross-Site Scripting and Insecure Direct Object References — have the potential for serious damage. Our pentesters marked them frequently as Medium or High severity, meaning they could have a high business impact if exploited. 

How to prevent Cross-Site Scripting?

Any feature that allows user input can be vulnerable, because it gives attackers an opportunity to inject and store malicious content into web applications. To prevent this, Cobalt recommends treating all user-supplied input as untrusted data and accepting input in select locations. We also recommend using a well-known and secure encoding API for input and output encoding, such as the OWASP ESAPI.

How to prevent Insecure Direct Object References (IDOR)? 

This vulnerability can give access to resources via user-supplied input, where attackers bypass authorization by modifying a value of a parameter that points directly to an object in your database. Use per-user or per-session indirect object references. Each time your application uses a direct object reference from an untrusted source, it should also make an access control check to ensure that the user is authorized to access the requested object.

Teams are struggling to maintain security standards due to operational changes

High employee turnover and scant bandwidth still hamstring productivity, with mounting pressure to restructure and cut costs amidst speculation of a downturn. 

In the US, 77% of respondents shared that their department had been directly impacted by company layoffs in the last six months. 63% also shared their budgets had been cut — on average, by 31%. 

In the UK and Germany, fewer teams reported the same struggles — 25% said their security team had been affected by layoffs, and 28% said their budgets had been cut. Does that mean they’re in a much better position to maintain a strong security posture? Not necessarily. Cybersecurity works as a global ecosystem, where one exploit may trigger a domino effect across the supply chain. Looking at the US stats, it’s safe to say the whole system is put under strain. 

And what might that strain be, exactly? Teams affected by organizational changes report unmanageable workloads, challenges in maintaining security standards, as well as monitoring for vulnerabilities. 

76% of teams in the US and 65% in the UK and Germany even went so far as to report that fewer resources had led to backlogs of unaddressed vulnerabilities in 2022, and over 80% of respondents, regardless of geographies, said this problem would worsen in the coming months. It should come as no surprise that teams across the board are planning to either deprioritize or outsource a variety of tasks — 74% in the US plan to outsource more in 2022, while 66% in the UK and Germany are de-prioritizing projects to stay focused on bigger priorities. 

Teams have to make every minute and penny count

These stats confirm that, more than ever before, teams are pushed to achieve more results with much fewer resources. And yet, many reported that they struggle to make the most out of their pentests.

A challenge respondents from all geographies shared was preparing their environment for the pentest. This can be a pivotal component that hinders efficiency and hurts the final result, not to mention cause business disruptions if tests take place in production. 

What can teams do to make every pentest count and extract maximum ROI? The 3rd part of our report shares detailed instructions on how to prepare not just your environment, but also your documentation and colleagues. Download the Pentest Preparation Checklist, or get all the details by downloading The State of Pentesting 2023 Report.

Blog CTA-1


Back to Blog
About Caroline Wong
Caroline Wong is an infosec community advocate who has authored two cybersecurity books including Security Metrics: A Beginner’s Guide and The PtaaS Book. When she isn’t hosting the Humans of Infosec podcast, speaking at dozens of infosec conferences each year, working on her LinkedIn Learning coursework, and of course evangelizing Pentesting as a Service for the masses or pushing for more women in tech, Caroline focuses on her role as Chief Strategy Officer at Cobalt, a fully remote cybersecurity company with a mission to modernize traditional pentesting via a SaaS platform coupled with an exclusive community of vetted, highly skilled testers. More By Caroline Wong
Is Cybersecurity Stressful? InfoSec Professionals Confess Their Stress at RSA
Too much work in too little time, incomplete picture of vulnerabilities, and AI disrupting the industry — here's what InfoSec professionals shared at our Confess Your Stress wall at RSA.
May 10, 2023