Pentesting-as-a-service provider Cobalt in a newly released report found that security teams are grappling with the same five vulnerabilities for the fifth straight year, all overshadowed by an unrelenting shortage of qualified personnel.
Here are the top five vulnerabilities:
- Server Security Misconfigurations.
- Cross-Site Scripting (XSS).
- Broken Access Control.
- Sensitive Data Exposure.
- Authentication and Sessions.
The majority of vulnerabilities stem from not staying on top of configurations, software updates or access management controls, Cobalt said.
The Bigger Picture
Security teams are still struggling to effectively remove and prevent issues that have been present for a comparatively long time. Some are oddly slow to respond to critical vulnerabilities, preferring instead to handle the low hanging fruit of less threatening issues. But layered on top of security issues is that teams must continuously grapple with a workforce shortage, made worse by the pandemic. They simply do not have enough people to handle the workload, Cobalt found. While security teams have been struggling with workforce issues for some time, the problem has reached a “tipping point,” Cobalt said. The pandemic and the “great resignation” have not helped.
Three key takeaways from the study:
- Nearly every team surveyed has been affected by talent shortages.
- Organizations are losing strength in their security posture and code quality, creating considerable risk of successful breaches.
- Try as they might to retain their talent, organizations are seeing a lot of resignations. More than half of survey respondents are considering quitting their jobs.
In a survey of some 600 cybersecurity and software development professionals and 2,300 pentests in 2021, Cobalt found the following common issues:
- Most of the findings are connected to missing configurations, outdated software, and lack of access management controls. These issues can get worse when workloads are overwhelming.
- How much risk are teams managing? The majority of vulnerabilities we found were lower risk, with 54% classed as “Low” severity and 11% classed as “Informational.” By comparison, 24% were “Medium” and 10% were “High.” Less than 1% were critical.
- Teams want to fix all of their vulnerabilities, but end up neglecting those that aren’t “Critical” or “High” risk. Most findings that get fixed take approximately 14 days to address, but there are situations where they take 31 days or longer. Of particular note, enterprises took seven days to fix informational issues but 21 days to address critical vulnerabilities. By contrast, corporations and SMBs took seven days to fix critical vulnerabilities.
Security Labor Shortage and Code Quality
While security teams are looking to developers for help, development teams are equally dealing with the implications of the labor shortage. Only 7% have been adequately staffed for at least six months and expect to continue that way for the next six, Cobalt wrote in a blog post. The majority (97%) of developers contend that these challenges make it harder to meet critical deadlines for feature launches, and 80% believe that these challenges compromise the quality and security of developers’ code.
“These stressful circumstances can wreak considerable damage, both to organizations and their people,” Cobalt said. “Leadership should take a hard look at what is causing burnout and disillusionment, take stock of their go-to-market priorities versus their teams’ capacity, and consider the daily interactions they have with their colleagues.”
The first step, as with trying to solve nearly every problem, is to acknowledge that business mechanics have changed and may never return to pre-pandemic expectations. Which means the landscape and the rules and the circumstances have likely changed beyond the foreseeable future. To fix the problem, both security and development teams need access to more resources, particularly more people.
Vulnerability Mitigation and Talent Management: Cobalt Suggestions
Cobalt has broken its suggestions into two groups...
Vulnerability management and remediation.
- Share regular training with teams.
- Review security configurations, access/user matrixes, SSL certificates, software versions, and security headers.
- Show leadership how inadequate resources and mounting low-risk findings can link up and turn into much bigger security problems.
- Find vendors who help rather than burden.
Employee well being and sustainable recruitment.
- It could be a better strategy to hire less experienced talent and invest more in their training and certifications.
- Review your hiring steps and consider where you can streamline without sabotaging your vetting process.
- Consider pre-recording training sessions that are universal to roles and including them in your onboarding decks.
“We said it at the start: Security is the result of decisions and actions made by many different people,” Cobalt said.