- Upgrade to Microsoft Office Pro and Windows 11 Pro with this bundle for 87% off
- Get 3 months of Xbox Game Pass Ultimate for 28% off
- Buy a Microsoft Project Pro or Microsoft Visio Pro license for just $18 with this deal
- How I optimized the cheapest 98-inch TV available to look and sound incredible (and it's $1,000 off)
- The best blood pressure watches of 2024
What We Learned from the 2023 Pen Testing Report
Fortra’s Core Security recently released its 2023 Pen Testing Report, and there’s plenty to see. In this year’s report, IT decision-makers can learn what their peers are saying about why they pen test, how often they pen test, and whether or not they’re pen testing in-house, among other topics.
Each year, Core Security collects and produces some of the industry’s most relevant data on the state of pen testing today. Here’s a quick overview of what this year’s report has to offer.
Why are your peers pen testing?
When asked, “Why do you pen test?” surveyed security practitioners seemed to be on the right track.
Their top priority was to assess risk and prioritize remediation (69%). Second to that was vulnerability management support (62%). And only after that was the obligation to comply with external cybersecurity policies (58%) or internal policies (40%). A total of 8% test for reasons unspecified.
These results show that, for the most part, teams are being proactive in their approach to enterprise security. They are leveraging available resources to get ahead of hidden threats before attackers can tell them how they fall behind. And even if it’s “just” to comply with established standards, isn’t that why those standards exist in the first place?
So, what are those security concerns companies are so worried about facing? When allowed to select several, survey results indicated that respondents listed:
- Ransomware (72%)
- Phishing (70%)
- Misconfigurations (58%)
- International threats (54%)
- Lack of patching 49%
Followed by five more categories. Interestingly, more are concerned about malware this year than last, and fewer are worried about phishing.
What’s the hardest part about pen testing?
While invaluable to a company’s security self-awareness, pen testing does come with its set of challenges. When asked to identify theirs, respondents replied with:
- Not enough resources to remediate even if we found the problem (58%)
- Unable to hire sufficient personnel to do the pen testing (in-house) (38%)
- Trouble getting executive buy-in and sponsorship (31%)
- Not enough qualified third parties to do the pen testing (30%)
All of the listed problems center around a lack of resources, and it’s understandable. Vetting an environment for every vulnerability and then exploiting those vulnerabilities takes time. It takes expertise, and it takes those with experience to maximize the time and resources spent – not waste them.
However, those might just be problems companies are willing to face, as their motivation might outweigh the obstacles. An overwhelming majority (73%) stated that pen testing was “Important” to their overall security posture, so chances are they will find a way to pen test even with the above roadblocks.
Since the majority (58%) are also only “Somewhat Confident” in the effectiveness of their posture, it seems that offensive security measures will continue to be employed to shore that up.
In-House vs. Third Party: What’s the trend?
As companies try to mitigate the issue of resource availability, they go between in-house and external pen testing operations.
The benefits of in-house include the ability to pen test any time you choose and to cover a wider range over time. Trained employees can pass on tribal knowledge and become self-sufficient producers in this area, potentially cutting costs and combing through new changes on a more regular basis so there isn’t a lag between external testing times. Results indicate a 7% increase in in-house pen testing measures over last year.
The downside is that pen testing (done right) takes a high level of skill, offensive security capabilities, and expertise. Not everyone can do it, and training whatever force an organization has on hand may cost more (and produce fewer results) than hiring a team of experts out of the gate.
Another benefit of managed (or third-party) penetration testing services is that companies get a fresh set of eyes on the problem. Developers or SOC personnel-turned-pen testers often built the infrastructure themselves and can be prone to familiarity blindness. Hiring a team of outsiders can give a company a more accurate, authentic feel of how their ecosystem would be picked apart by genuine hackers, not just insiders on another round of quality control.
When asked why they utilized external pen testers, companies responded:
- To gain an objective point of view (58%)
- To subject the environment to different skillsets (50%)
- To meet compliance requirements (45%)
- Not enough skilled personnel in-house (38%)
This year’s survey noted a plurality (34%) of in-house teams had between 2-3 years of penetration testing experience, while 24% had between 4-5 years and just under a third (32%) had six years or more.
Conclusion
As organizations grapple with the need for offensive security measures, they must also deal with the complications of a cyber skills shortage and a perpetual strain on resources.
Hiring out can help companies get the most ROI out of any pen testing resources and can supplement efforts in-house. Fortra’s Core Security offers both penetration testing services (for those looking to hire out) and penetration testing software (for those pen testing in-house). Core Impact offers guided exploits that even junior practitioners can perform with ease, providing companies with real-world attack scenarios that bypass the learning curve. The external pen testing services team provides an excellent set of experienced eyes on the ecosystem, making sure the nuances are attended to and no stone goes unturned. Blind spots are common to all, and every organization could benefit from a second look – especially from ones trained in what to look for.
Leveraging these offensive security techniques (and more) can help organizations own their environment and create a security posture trained to be one step ahead of attackers.
To learn more, check out the full 2023 Pen Testing Report from Core Security.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.