Penetration Testing a Vital Part of Organizational Security, Survey Finds
Identifying and prioritizing high risk security issues is crucial, according to Core Security report.
Note: TDWI’s editors carefully choose vendor-issued press releases about new or upgraded products and services. We have edited and/or condensed this release to highlight key features but make no claims as to the accuracy of the vendor's statements.
Organizations depend on penetration testing as a crucial element in their cyber security programs, according to the 2021 Penetration Testing Report from Core Security, a HelpSystems Company. The report provides visibility into the ongoing pivotal role penetration testing plays as part of a robust security strategy in 2021. Building on last year’s inaugural survey, the report examines the evolution and advancement of the penetration testing field under COVID-19 and offers actionable insights for the cybersecurity community.
Core Systems canvassed 300 global cybersecurity professionals from a diverse cross-section of industries, company sizes, job levels, and regions across the world. The report tracks year-on-year changes, trends, challenges, and areas of improvement since the last survey in 2020.
Organizations rely on penetration testing to reveal security weaknesses and comply with regulations such as HIPAA and the GDPR. Based on this year’s findings, 99 percent of respondents said penetration testing was key to compliance initiatives.
The shift to remote work in response to COVID-19 also showed the vital role penetration testing plays in new security challenges. Of those surveyed, 28 percent reported increasing penetration tests, and 45 percent reported greater emphasis on network security tests.
Key Insights
The report highlights several critical mismatches between attitudes towards the importance of penetration testing, and actual day-to-day practice. A mismatch between the belief that penetration testing is critical and the priority it is given appears to have grown. The value of penetration testing is easily agreed upon -- 91 percent of respondents noted that penetration testing is at least somewhat important to their security stance and, here, penetration testing is being carried out for three core reasons around vulnerability management, to measure security posture, and meet with compliance regulations:
- 74 percent for vulnerability management program support (this 4 percent increase since last year shows that programs are beginning to mature and focus more on overall risk to the organization)
- 73 percent perform penetration tests to measure security posture
- 70 percent for compliance with a 3 percent increase in compliance from the 2020 survey reflecting the increasing number of organizations who must adhere to specific industry standards or regulations
With issues such as compliance and remote working, penetration testing shows every sign of remaining a crucial practice for years to come and the report reveals that organizations are tailoring programs to suit their needs and available resources, across third-party services, penetration testing tools, or dedicated in-house teams, which appear to be on the rise.
However, it also highlights continued challenges around overconfidence, lack of remediation validation, and inattention to penetration testing findings, which is concerning for the long term, with the majority of respondents still only testing one- or two times a year.
Additional insights from the report include:
- Respondents reported misconfiguration (80 percent), phishing (79 percent), and poor passwords (60 percent) continue as top concerns, which aligns with last year’s results.
- A mismatch between the belief that penetration testing is critical and the priority it is given appears to have grown. The value of penetration testing is easily agreed upon -- 91 percent of respondents noted that penetration testing is at least somewhat important to their security stance. However, organizations continue to struggle to get others to act on the findings of penetration tests, with 50 percent of respondents noting this as a big concern -- up 4 percent from last year’s survey.
- Adding to this mismatch is the 5 percent increase in confidence that respondents felt in their security posture, indicating that overconfidence remains a common and troubling issue.
- Compliance to external mandates under HIPAA, PCI DSS, SOX, and the GDPR, or the Cybersecurity Maturity Model Certification (CMMC) was one of the primary reasons respondents conducted penetration tests. In fact, 99 percent of respondents reported that penetration testing held some level of importance for their compliance initiatives.
Only one percent of respondents indicated they don’t use any type of penetration testing tool, which underscores how crucial solutions are to the penetration testing process, and how important it is to find ones that are reliable and effective. The preference appears to be a combination of enterprise and open source tools, with 65 percent of respondents indicating that they use both.
For details, visit https://www.coresecurity.com/resources/guides/2021-pen-testing-survey-report