Penetration Testing Services Cloud Pentesting Penetration Network Pentesting Application Pentesting Web Application Pentesting Social Engineering July 28, 2022 Top Cybersecurity Statistics for 2024 Threats and attack vectors in cyberspace have continued to evolve and become more sophisticated than ever. If you look at cybersecurity statistics in the last couple of decades, you will find that the number of cyber-attacks has increased, and so is the extent of their damage. For instance, IBM’s Cost of a Data Breach Report 2021 found that the global average data breach cost is $4.24 million. This average cost has increased by over 10.61% from $3.79 million in 2015. With an increasing number of users and devices connected to the internet, the potential attack surface area will continue to widen. Overview These days, organizations invest substantially in implementing security controls and fulfilling compliance obligations. More and more investments are going towards detection capabilities as opposed to building security foundation and testing the effectiveness of existing security controls. According to Seemant Sehgal, CEO & Founder at BreachLock, “Offensive security checks are often deployed as an afterthought or entirely forgotten. CISOs often find it difficult to answer if they are secure.” Frequent penetration tests that are technology-backed, fast, comprehensive, and easily scalable must become the industry norm to overcome this. In 2021, BreachLock realized that intelligence derived from our penetration testing exercises, delivered via SaaS platform can be a valuable resource for the entire cybersecurity community, help organizations in benchmarking their performance and up their game against cyberattacks. BreachLock’s penetration testing approach (PTaaS) leverages automation and artificial intelligence (A.I.) to build a scalable pentesting experience. With an analysis of over 8000 security tests in 2021, BreachLock has recently published its maiden Annual Penetration Testing Intelligence Report, 2022. In the following sections, we look at the key findings of this report. 1. Web Applications Web applications have become an integral part of how businesses operate. Our analysis found that critical and high-risk findings accounted for less than 5% of overall findings. However, medium-risk findings accounted for 35% of overall findings. This shows that the number of medium-risk findings per application is considerably higher than high and critical findings. It is alarming that cross-site scripting (XSS) findings account for half of the high-risk findings. The analysis also notes that the average number of days taken for remediation of critical findings is 46 days, while the same for high-risk findings is 80 days. 2. Infrastructure The number of unique critical findings in external infrastructure is less than in internal infrastructure. This indicates that organizations focus heavily on vulnerabilities in their external infrastructure because of the notion that threats come from external-facing systems. In external infrastructure, the percentage of critical and high-risk findings is 0.07% and 0.32%, respectively. Medium-risk findings accounted for 34.11%, while low-risk findings comprised 65.60% of overall findings. A similar trend was observed in internal infrastructure, where low and medium-risk findings contributed 97.8% of total findings. Critical and high-risk findings were 0.29% and 1.90%, respectively. We have observed that the remediation of a high-risk vulnerability takes around 80 to 104 days on average. Moreover, about 70% of organizations do not have detection and response capabilities. 3. Mobile Applications Mobile applications have gained increasing acceptance by organizations. Organizations rely on Android and iOS apps to deliver a targeted experience for their audience. For Android apps, critical and high-risk findings accounted for 7.34% of overall findings. For iOS apps, the same number stands at 4.81%. It is pertinent to note here that less than 15% of organizations that we worked with opted for mobile app pentesting services. Hard-coded credentials, insecure direct object reference, misconfigured launch mode attribute, insecure data storage, and XML injection are some of the most common vulnerabilities in mobile apps. 4. APIs Application Programming Interfaces (APIs) offer a seamless experience for users and businesses by connecting one application with another. While APIs become popular, breaches continue to occur due to existing vulnerabilities in APIs. Low-risk findings in APIs contributed to 76.37% of overall findings, while medium-risk findings accounted for 22.70%. Only 0.93% of overall findings were high-risk findings. 48% of high-risk findings in APIs are related to missing function-level access control. This vulnerability allows users to perform actions they are not authorized for, according to their access level. This directly poses a challenge to the integrity of applications and data, allowing attackers to find and escalate privileges to launch other attacks. Conclusion Cybersecurity is a shared responsibility. It is not just about your business and our business. All the stakeholders must unite to make cyberspace a better place to do business. As threats continue to evolve, organizations must understand the bigger picture. Through the First Annual Report on pentesting intelligence, we hope to provide visibility into this big picture. As we continue to help businesses conduct scalable penetration tests, we are committed to helping you find and fix the next cyber breach. The detailed report covers insights according to organizational size and industry. To download our Annual Penetration Testing Intelligence Report 2022, click here. Industry recognitions we have earned Tell us about your requirements and we will respond within 24 hours. Fill out the form below to let us know your requirements. We will contact you to determine if BreachLock is right for your business or organization.