informa
4 min read
article

5-Year Vulnerability Trends Are Both Surprising and Sadly Predictable

What 5,800+ pentests show us: Companies have been struggling with the same known and preventable security bugs year over year. Bandwidth stands at the heart of the problem.

Cybercrime can cause major disruption when it comes to the sustainability and long-term success of companies. Teams want to have robust security but often struggle to meet that objective. It's crucial for security professionals to leverage insights into emerging trends in cybersecurity to pinpoint which vulnerabilities put organizations at the greatest risk, and Cobalt's "State of Pentesting" reports explore how to achieve efficiency to strengthen security.

The "State of Pentesting 2022" surveyed 602 cybersecurity and software development professionals and analyzed data from 2,380 pentests conducted over the course of 2021 to pull key insights that are relevant to security and development teams when it comes to fixing vulnerabilities.

As a result of the data collected, the top five most common vulnerability categories outlined in this year's "State of Pentesting" report include:

  1. Server Security Misconfigurations
  2. Cross-Site Scripting (XSS)
  3. Broken Access Control
  4. Sensitive Data Exposure
  5. Authentication and Sessions

Surprisingly — yet predictably — these vulnerability categories have stayed at the top of the list for at least the last five years in a row. They're also recognizable to those who are familiar with OWASP Top 10 list for Web Application Security Risks.

The majority of these findings are connected to missing configurations, outdated software, and a lack of access management controls — all common and easily preventable security flaws. So, what's holding companies back from preventing well-known security flaws? Why does this come as a surprise?

Because these flaws are common and appear to be less of a major threat, they are often overlooked as teams deal with talent shortages and increased workload. Standing alone, these issues might not cause a lot of concern, but they can build up to create more critical situations that are difficult to tackle and remediate.

Security and development teams need access to more resources and talent to prevent and fix common vulnerabilities in the future. Talent shortages have impacted security programs as teams are struggling to maintain security standards and vulnerabilities are more likely to go undetected and unremedied.

Findings from the "State of Pentesting 2022" point to key strategies organizations can implement for vulnerability management and retention.

1. Focus on learning: Provide the right security training and resources with teams such as the OWASP Top 10 list and the "State of Pentesting" reports.

2. Review your security configurations: Consistently monitoring access/user matrixes, SSL certificates, software versions, and security headers can help with the top vulnerabilities we see each year. 

3. Clearly communicate risk: It's important to show leadership and team members how insufficient resources and open vulnerabilities of all types can turn into much bigger security problems for the broader organization.

4. Outsource to agile vendors: Find vendors who help you to achieve your security goals, integrate well with your systems, and create the right efficiencies to bring to your workflows.

Security and development teams have clearly been struggling with the same vulnerabilities for five years in a row, and although this can come as a surprise, there are steps teams can take to break the trend.

In addition to these tips for vulnerability management and retention, security assessments like pentesting can be a useful additional resource for development teams to patch vulnerabilities and remediate risk. Pentesting can help defend organizations against vulnerabilities that disrupt the organizational flow, reputation, financial circumstances, and more.

About the Author

Jay Paz photo


Jay Paz is Cobalt's Senior Director of Delivery. He has more than 12 years of experience in information security and 19+ years of information technology experience, including system analysis, design, and implementation for enterprise-level solutions. At Cobalt, he lays the groundwork for innovation and scale as he oversees operations and day to-day management for Cobalt's pentester community.