Cobalt State of Pentesting 2023

Keypoints

• Major cybersecurity vendors publish comprehensive annual reports covering internal security trends, attack techniques, and threat landscapes, typically structured into executive summaries, vulnerability analysis, trends, methodology, and best practices.
• These reports frequently include statistics indicating the most common vulnerabilities uncovered in penetration tests, such as stored XSS, IDOR, and SQL injection, with severity levels ranging from low to critical.
• Across multiple years, server misconfigurations continue to be the dominant issue, accounting for nearly 40% of findings, with notable problems including lack of security headers, outdated SSL/TLS protocols, and banner disclosures.
• Data highlights a decline in critical/high severity findings over recent years, yet approximately 40% of vulnerabilities remain unaddressed, exposing ongoing security gaps, especially in lower-severity issues that can cascade into more severe breaches.
• There is a recurring theme of resource constraints, with many organizations struggling to fix vulnerabilities promptly due to staffing shortages, budget cuts, and coordination issues with development teams, often leading to increased backlogs and security risks.
• Evolution in attack techniques underscores the need for continuous testing and proactive security measures, including properly scoped pentests, documentation, staging environments, and collaborative engagement during assessments for maximum efficacy.
• Global economic pressures, notably layoffs and budget reductions, are impacting security operations, increasing workloads, burnout, and delaying patching and remediations; US teams are more affected than European counterparts.
• Consistent recommendations include strategic planning before penetration tests, precise scoping, environment preparation, fostering collaboration with testers, and leveraging external expertise to navigate resource limitations effectively.