According to a Cobalt.io report, DevOps is being transitioned to DevSecOps by introducing an "everyone is part of the security team" approach.
Companies report a strong relationship between security and engineering. In a new report, more than three quarters of the respondents (78%) highlighted a transition from DevOps to DevSecOps, according to the Pentest as service platform provider Cobalt.io.
The fourth annual State of Pentesting: 2020 report, which examines the state of application security, contains findings from a survey of more than 100 experts in the areas of security, development, operations and product roles. Penetration or pentesting is often used to extend a web application firewall.
"As web applications become more complex and scanners improve efficiency, this report shows that security basics often have to be applied to complex problems," said Vanessa Sauter, security strategy analyst at Cobalt.io, in a statement.
This year's report also looked at what vulnerabilities in web applications can be reliably found using machines, and which requires human expertise to manually identify them. The most common types of vulnerabilities were also investigated, based on data from more than 1,200 pentests performed on Cobalt.io's PtaaS platform.
According to the report, the most common type of vulnerability is misconfiguration for the fourth consecutive year. The remaining five types of vulnerabilities were cross-site scripting. Authentication and sessions; Exposure to sensitive data; and lack of access controls.
Application security methods continue to evolve
The survey also found that:
· Over a third (37%) of respondents publish software weekly or daily
· 52% say their organization requests pentests at least quarterly, while only 16% do pentests annually or every six months
· More than three quarters (78%) of respondents conduct pentests to improve their application security
· Organizations are testing many different types of applications, and cloud environments continue to pose a significant risk, particularly with regard to security misconfigurations. More than half (51%) of the respondents perform pentesting in Amazon-based cloud environments alone.
· The majority of respondents (78%) indicated a close relationship between security and technology as companies transition from DevOps to DevSecOps and adopt the "everyone is part of the security team" approach.
"As DevOps speeds up the speed of software release, data and automation are critical to security scaling," said Caroline Wong, chief strategy officer at Cobalt.io, in a statement. "Given the increasing demand for pentesting and higher expectations for application security, the relationship between security and engineering depends on operational efficiency through automation."
The study also found that both humans and machines add value when it comes to finding certain classes of vulnerabilities. According to the report, people "win" when it comes to finding business logic bypasses, racing conditions, and chained exploits.
How to protect your company from business email compromise attacks
Although, when used properly, most machines "win" most types of vulnerabilities, scan results should be used as guides and analyzed in context, the report says.
There are also vulnerabilities that neither humans nor machines can find independently, so they should work together to identify these problems, Cobalt.io advised.
The vulnerability types in this category include:
Authorization errors (such as unsafe direct object reference)
· External out-of-band XML entity (OOB XXE)
· SAML / XXE injection
· DOM-based cross-site scripting
· Unsafe deserialization
Remote Code Exploitation (RCE)
· Session management
· Failed to upload files
· Subdomain acquisitions
"Regardless of whether mitigating security misconfigurations or identifying business logic bypasses, a thorough understanding of the system architecture and the ability to think both methodically and creatively is critical to mitigating the most serious application security threats," said Sauter.
Sauter added that creating unique payloads is less important than holistically evaluating the problems that are common to a company's applications.
The results were based on more than 1,200 pentests conducted between January 1, 2019 and December 31, 2019 via the Cobalt.io platform, as well as survey responses from more than 100 security, development, operations and product role practitioners in terms of application security.
Developer Essentials newsletter
Get the developer news and tips you need to know, from the hottest programming languages to the highest salary jobs.
Sign up today