Security is the result of decisions and actions made by many different people. Every individual
has a part to play, but as digital transformation and DevSecOps adoption accelerates, security and
development teams both take center stage. The struggles and wins of one team increasingly affect
the other. Which is why for this year’s State of Pentesting report, we decided to focus on issues and
stats that are relevant to both security and development teams: to separate these two inextricably
linked groups would only yield a partial picture of the security landscape.
Cobalt is a Pentest as a Service vendor, so we get to directly observe how organizations deal with
vulnerabilities and the challenges threatening their security. One of their most pressing issues?
They don’t have enough people on their teams to handle the workload. Headlines around “The Great
Resignation” continue to populate news feeds, but those working in tech might argue they have
always had to deal with a lack of manpower. We began to suspect things have moved to a critical
tipping point when our 2021 pentesting data started showing results like this:
Æ Teams have been struggling with the same vulnerabilities for 5 years in a row.
Æ Most of the findings we discover are connected to missing configurations, outdated
software, and lack of access management controls—all issues that can start piling when
workloads are getting out of control.
Æ Teams want to fix all of their vulnerabilities, but end up neglecting those that aren’t “Critical”
or “High” risk.
Æ Most findings that get fixed take approximately 14 days to address, but there are situations
where they take 31 days or longer.