Organisations face a significant attack resistance gap between what they are able to protect and what they need to protect
HackerOne has compiled a report from survey responses from enterprise organisations in North America and Europe, and found four areas critical for organisations to increase their resistance to attack:
- An understanding of their attack surface
- The cadence of application testing compared to release cycles
- The depth and style of security testing
- The availability of technical talent capable of carrying out these tasks
Overall, organisations had a confidence score of 63 per cent across a composite of these four areas.
Marten Mickos, CEO of HackerOne. “We conducted this research to illustrate the problem and show the way toward improvement. Organisations that broaden their scope of testing, and do it continuously, are seeing their attack resistance gap shrink.”
One-third of respondents say they monitor less than 75 percent of their attack surface. Almost 20 percent of participants believe that over half of their attack surface is unknown or not observable, leaving them vulnerable to external threats, especially as digital transformation and development continue at an accelerated pace.
Additionally, 44 percent of organisations stated they are not totally confident that they can close the attack resistance gap. The cyber skills shortage exacerbates their ability to protect the full attack surface — 80 percent of respondents expressed concern about a lack of available skills and experienced security talent.
The over-reliance on security and scanning tools as a quick fix or a one-size-fits-all approach is also an area of concern, the report said.
Data also demonstrated how many companies see Attack Surface Management (ASM) as a compulsory security exercise, rather than a strategic tool in their overall security plan. Only 22 per cent of companies use ASM solutions to minimise exposed development infrastructure and weak, insecure, or deprecated crypto.