A new study by Cobalt.io shows that there is increasingly strong cooperation between security and engineering. This progress accelerates the transition from DevOps to DevSecOps.
The survey The State of Pentesting: 2020 looks at the state of affairs of application security and contains insights from more than 100 people in the field of security, development and operations. Pentesting, short for penetration testing, involves simulated attacks on applications or networks to check for vulnerabilities.
The survey states that 79 percent of those questioned say they have a strong relationship between security and engineering. Slightly more than half of the respondents said that their organisations conduct pentests on their applications every quarter, while only 16 percent conduct annual or biannual pen tests on their applications.
Organisations are said to pentest many different types of applications of which cloud environments continue to pose a significant risk. Slightly more than half of the respondents said they had to pentest Amazon’s cloud environments. Some of the most common vulnerabilities respondents encounter are cross-site scripting, sensitive data exposure and faulty configurations.
Balance between manual and automated pen testing
Although automated pentesting is often ideal, there are exploits that people have a better chance at detecting, such as business logic bypasses, chained exploits and race conditions. There are situations where people and software should work together to find authorisation errors such as out-of-band XML external entity, SAML/XXE Injection, DOM-based cross-site scripting, remote code exploitation, subdomain takeovers and more.
“Whether mitigating security misconfigurations or identifying business logic bypasses, a thorough understanding of system architecture and an ability to think both methodically and creatively proves essential to mitigating the most serious threats to application security”, Caroline Wong, chief strategy officer at Cobalt.io said.