Key Findings from BreachLock Pentesting Intelligence Report 2023

This comprehensive report takes an in-depth look into the state of penetration testing, revealing critical security insights across applications, APIs, networks, cloud, DevOps, and IoT as well as key industries and geographies. This includes an analysis of the most exploited OWASP Top 10 categories by industry and asset-specific vulnerabilities.

In this blog post, we will share a summary of findings, observations, and recommendations for the InfoSec and IT communities, all analyzed by BreachLock’s in-house, certified penetration testers and security researchers.

Download your complimentary copy of the BreachLock Penetration Testing Intelligence Report 2023

Revealing the State of Cyber Security Risks with Pentesting Data

BreachLock is a leader in penetration testing services offering automated and human-delivered pentesting services since 2019 to its global client base via an AI-driven SaaS platform. For the second year in a row, BreachLock’s security researchers have collected, anonymized, and analyzed data from over 3000 pen tests conducted from July 2022 to July 2023. Using the BreachLock platform, our AI capability processed and analyzed vast amounts of pentesting data to identify complex patterns, anomalies, and potential security threats with rich contextual insights into the most exploitable points of interest by an attacker.

Security teams are encouraged to use the report to understand the top critical security vulnerabilities as well as the most exploited OWASP Top 10 categories by industry and asset-specific vulnerabilities and recommendations on how to better defend your security ecosystem.

The Growing Importance of Pentesting In 2023

Penetration testing is foundational in a security program and mandated by various compliance standards. Organizations are turning to PTaaS to deal with the accelerating use of the public cloud and expansion of public-facing assets, as well as a growing internal attack surface. Penetration testing is a proactive approach to identifying system vulnerabilities and potential security risks. It involves ethical hackers attempting to exploit weaknesses in a controlled environment and providing organizations with valuable insights to remediate risk and strengthen their security defenses.

As a comprehensive resource, this report provides an in-depth summary of the current state of penetration testing in 2023. Many regulatory frameworks and standards explicitly mandate or strongly recommend regular security assessments, which often include penetration testing, to ensure security controls are effective in defending the security ecosystem. Penetration testing demonstrates that an organization is taking proactive steps to secure its systems and data and is evidence of due diligence in complying with regulatory requirements and maintaining a secure environment for stakeholders, customers, and partners.

Key Findings

The BreachLock report provides a thorough analysis of penetration testing, outcomes, and results, illuminating the most prevalent risks across different industries.

The proper term for a critical finding or critical vulnerability in the context of penetration testing and cybersecurity is often referred to as a “high severity” finding or vulnerability.

In most vulnerability assessment and penetration testing frameworks, vulnerabilities are categorized based on their severity levels. These categories can include:

1. Critical (High Severity) – Vulnerabilities that have a significant potential impact on the security of the system or network. Exploiting these vulnerabilities could result in severe consequences, such as unauthorized access, data breaches, or complete system compromise.
2. High (High Severity) – Vulnerabilities that pose a serious threat to the security of the system or network. Though they may not be as immediately catastrophic as critical vulnerabilities, they still require urgent attention and mitigation.
3. Medium (Medium Severity) – Vulnerabilities that have a moderate level of risk associated with them. While they might not pose an immediate and critical threat, they are still important to address to prevent potential future exploitation.
4. Low (Low Severity) – Vulnerabilities that have a relatively lower risk and impact. These vulnerabilities might not require immediate attention but should still be remediated over time.
5. Informational (Informational Finding) – Findings that provide valuable information about the system or network but do not necessarily indicate a vulnerability or security risk. These findings can help improve overall security awareness and understanding.

Here are some of the key findings and data-driven insights from the report.

• • Medium Findings dominate: Medium findings are defined as vulnerabilities that could be exploited by a knowledgeable attacker under certain conditions, but the likelihood of exploitation might be lower compared to high or critical findings. However, these types of findings are still important to reduce and remediate. Medium findings accounted for the largest portion of identified vulnerabilities across industries, representing 32% of the overall scope of the report. This highlights the significance of addressing these Medium-risk vulnerabilities promptly to mitigate potential security breaches.
  • OWASP Top 10 Risks: The report identifies findings that map to OWASP Top 10 categories. These top five risks, when aggregated together, cover over 85% of the findings and security weaknesses in the report’s full data set. The top 5 risks include Security Misconfiguration, Cryptographic Failures, Broken Access Control, Insecure Design Injection, and Injection. These are the same top five risks that were highlighted in the 2021 OWASP Top 10 update.
  • Speed Prioritized over Security: DevOps teams must drive faster more secure release cycles to accelerate innovation for their organizations and customers, but it also poses significant risk. Security teams must identify and understand the impact of runtime vulnerabilities in their production environments through routine security testing, while avoiding backlogs, to gain visibility across all stages of the Software Development Life Cycle (SLDC) to mitigate risk.
  • Supply Chain Attacks: Supply chain attacks are critically important because they can have far-reaching devastating consequences for organizations. These attacks target vulnerabilities within the interconnected network of suppliers, vendors, partners, and service providers that support an organization’s operations. Supply chain attacks can provide cybercriminals with access to sensitive and confidential information, including intellectual property, customer data, financial data, and trade secrets, all to be sold on the Dark Web or used for malicious purposes.
  • Industry-specific Findings: The report highlights industry-specific findings, shedding light on the challenges faced by sectors such as Computer Software and Technology, Healthcare, Financial Service Institutions such as banking and FinTech, IT Consulting and Services, and Retail and eCommerce industries. These sectors have unique vulnerabilities, including security misconfigurations, broken access controls, and cryptographic failures. Recommendations tailored to each industry are also provided to address these risks effectively.

Asset Intelligence

The report also provides valuable insights into internal and external assets and associated vulnerabilities. Data includes an assessment of the findings to provide specific observations and recommendations for each asset category, including web apps, mobile apps, APIs, networks, and cloud.

Web Applications

Web applications accounted for the largest portion of assets tested, making up 46% of the findings. The top five overall security issues in web applications were identified as Cross-Site Scripting (XSS), Outdated Software Versions, Insecure Direct Object References (IDOR), Lack of Security Headers, and exposed Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The root cause of several OWASP Top 10 vulnerabilities such as Injections, Arbitrary File Upload, and Cross-Site Request Forgery (CSRF) share common vulnerabilities such as lack of input sanitization. Organizations should conduct web application pentesting to ensure these critical vulnerabilities are mitigated with BreachLock’s researchers revealing that one fix can remediate over 30% of the critical vulnerabilities identified in the web app pentest data.

Networks

Networks were another significant asset category, comprising 34% of the findings. This category can be further divided into external networks (23%) and internal networks (9%). It is observed that the total number of unique Critical findings in external networks is less than in internal networks. This was the same observation made in BreachLock’s 2022 Penetration Testing Report. However, as threats are no longer exclusive to external facing systems, this imbalanced approach indicates an over-emphasis upon external remediation compared to internal remediation of Critical findings. The top Critical finding in networks was related to OpenSSL, while default credentials were identified as the top High finding. These findings emphasize the need for network security measures, including encryption protocols, network segmentation, and the enforcement of strong access controls.

APIs

APIs represent one of the highest attacker entry points for cyber criminals. APIs accounted for 11% of the findings. A notable observation is that Medium and Low-risk findings contributed to over 60% of the overall API-related findings. Security Misconfigurations were found to be the top risk leading to potential API attacks. Organizations should conduct regular security audits and implement proper configuration management practices to ensure the integrity and security of their APIs.
Mobile Applications

The report highlights that mobile penetration testing focused on both Android and iOS applications, with a marginally higher number of Critical and High findings in Android apps. However, both operating systems revealed similar risk scores and vulnerabilities. Organizations must address vulnerabilities related to certificate pinning, which poses a risk of Man-In-The-Middle (MITM) attacks and misconfigured launch mode attributes that expose mobile applications to the risk of task hijacking.

Cloud Environments

Cloud penetration testing accounted for 5% of the findings. The data reveals that 3% of the findings were classified as Critical, while 24% were classified as High findings. This distribution of risk findings reveals that more needs to be done to secure the cloud beyond Critical-scored risks. Organizations should focus on addressing High, Medium, and Low risks found in cloud assets to mitigate potential breaches and maintain the integrity and confidentiality of their cloud environments.

Specific cloud risks related to Access Control-related issues totaled up to 38% of the overall findings, Exposure of Sensitive Data represented 27% of the overall findings, and Encryption of Sensitive Data was revealed in 8% of the findings – all posing additional risk in cloud environments.

Industry Intelligence

The BreachLock Annual Penetration Testing Report 2023 provides insights into the state of penetration testing across various industries, demonstrating the need for organizations to prioritize regular or continuous security control validation. We have summarized some of the key findings below along with the biggest security challenges these industries are facing.

Healthcare

Digital transformation has served to change many industries for the better in a post-pandemic world, but no more life-changing than in the healthcare industry. Due to the need to provide services outside of the standard institutional setting, we are seeing healthcare extend beyond their clinical walls to provide patient care in pop-up clinics to telemedicine and driving the healthcare technology stack out to the edge. In contrast, this “anywhere” healthcare model has the highest perceived security risk within any industry, and the biggest impact should a cyberattack occur. New defenses will need to address the increased attack surface, as well as issues of privacy and interoperability, to determine how to ensure both the privacy and security of protected healthcare information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and other regulations.

Within the healthcare industry, the report emphasizes the importance of addressing Critical and High-risk findings to ensure data integrity and patient confidentiality. Medium and Low-risk findings constitute the largest portion, indicating the need for improved web application security, the implementation of SSL certificates, securing APIs, and adopting multilayer security measures. Additionally, readiness for PCI DSS 4.0 compliance should be a top priority to enhance data security in healthcare organizations.

Banking and Financial Services

Financial services institutions (FSIs) are experiencing a great shift in how they conduct business, and it’s called Open Banking. Open Banking is a financial technology term and refers to the use of open APIs that enable third-party developers to build applications and services around the financial institution. Open Banking is the practice of enabling secure interoperability in the banking industry by allowing third-party payment services and other fintech service providers to utilize aggregated and authenticated data, connected via APIs, to give customers more ways to consume their financial data, while also making transactions more secure.

However, the increased use of APIs in all industries has garnered attention from cybercriminals as the most frequent attack vector against enterprise web applications that lead to data breaches.

The Banking and Financial Services industry accounted for 17% of the findings. The data reveals these businesses have significant security and compliance risks to manage. Critical and High-risk findings must be addressed promptly, while Medium and Low-risk findings represent the largest portion. Access control-related issues and exposure of sensitive data are key concerns in this industry, emphasizing the need for encryption mechanisms and secure cloud configurations, such as enabling multi-factor authentication, configuring Identity Access Management (IAM) policies correctly, and securing database instances from public access.

The Banking and Financial Services industry data showed the following key insights are needed:

Critical findings made up only 2% of the total, while high findings constituted 5%.

• • • The top three risks on the OWASP Top 10 list, namely Security Misconfiguration, Broken Access Control, and Cryptographic Failures, were prominent for this industry as well.
    • This industry had more findings per organization in both internal and external infrastructure compared to other sectors.
    • Factors such as remote work environments, employee negligence, and third-party risk management were identified as specific challenges.
    • Recommendations include establishing defenses for sensitive data leakage, conducting security awareness training, enforcing third-party security measures, and conducting penetration testing aligned with the organization’s risk tolerance.

Computer Software and Technology

One of the significant cybersecurity challenges facing computer software and technology companies today is the constant struggle to effectively manage and mitigate software vulnerabilities. The software industry faces unique challenges due to the complexity of modern software development, the rapid pace of innovation, and the interconnected nature of software ecosystems. Software vulnerabilities, including coding errors, design flaws, and configuration weaknesses, are exploited by attackers to gain unauthorized access, execute malicious code, or compromise systems. Moreover, keeping software up to date, reliance on third-party components, implementing secure development practices, and dated legacy software that has sat dormant, all contribute to entry points for cyber criminals.

The Computer Software and Technology industry emerged as the most impacted accounting for 40% of the findings. In this highly competitive sector, the report highlights a slightly higher percentage of High-risk findings compared to other industries. This signifies the need for stringent security measures to protect sensitive customer data and intellectual property. Organizations in this industry must focus on addressing Critical and High-risk findings promptly, while also mitigating Medium and Low-risk vulnerabilities.

The Computer Software and Technology industry data revealed the following insights:

• Medium findings constituted the largest portion at 32%.
• The top three risks on the OWASP Top 10 list, including Security Misconfiguration, Broken Access Control, and Cryptographic Failures, were observed.
• It was noted that the need for faster release cycles is often prioritized over security within this industry, emphasizing the need to strike a balance between innovation and speed to minimize risk.
• Security risk management is critical for businesses in this sector, as breaches within the supply chain can have a severe downstream impact on customers, partners, suppliers, and the public.
• Recommendations include shifting security practices earlier in the Software Development Life Cycle (SDLC), enforcing third-party supply chain security, and adhering to common criteria certifications.

Recommendations for a Secure Environment

Based on the findings and observations, the BreachLock 2023 report provides actionable recommendations to enhance crucial security practices for organizations across industries.
Some key recommendations include:

• • • DevOps Integration: Incorporate pentesting to support your Secure Development Lifecycle (SDL) by ensuring that the software developed is inherently secure across all phases of software development through deployment.
    • Enforce Supply Chain Security: Implementing strong third-party security governance is crucial for organizations, especially in the context of the supply chain and its operations. Having a set of third-party security standards that require a certified vendor assessment for all suppliers and vendors associated with your organization, along with comprehensive penetration testing, can help identify and address potential vulnerabilities.
    • Security Awareness Training: Organizations should invest in continuous security awareness programs for employees to reduce the likelihood of human errors, such as Phishing techniques and associated risks, and overall security awareness training, to help prevent the most common of security breaches.
    • Adhere to industry certifications: Achieving and maintaining common criteria certifications can provide reassurance and credibility to stakeholders. It showcases a commitment to adhering to industry best practices and escalating security measures.

Take Action with the 2023 Penetration Testing Intelligence Report

Security leaders and teams are invited to apply these insights into their daily vulnerability management activities. The BreachLock report provides recommendations that security professionals can act upon based on the key findings and current state of cybersecurity. By highlighting the focal areas that organizations need to prioritize, they can take the necessary steps toward enhancing their security posture.