Coalfire released its fourth annual Securealities Penetration Risk Report reflecting the results of more than 3,100 penetration tests from nearly 1,600 client engagements in the technology, financial services, healthcare, and retail sectors. The report analyzes enterprise and cloud service providers (CSPs) internal and external attack vectors, application development and mobile app security, social engineering and phishing, and PCI- and FedRAMP®-specific findings, with data segmented by industry and company size. Additional mobile application security analysis was provided by NowSecure.
Coalfire's long-term data shows that cyber risk significantly shifts year over year based on company size, vertical market, and many other factors. Due to a surge of publicized catastrophic breaches, the dominating focus on external risk means that internal threats are allowed to persist. This creates points of weakness that increase the potential for internal exploits from the growing cadre of attackers.
"With high-risk vulnerabilities nearly cut in half since Coalfire's first annual report, the large enterprise is getting smarter about external threats, but falling behind on internal vulnerabilities," said Coalfire CEO Tom McAndrew. "Smaller businesses are doing a better job balancing internal and external risks; however, mid-size companies struggle in the face of complex hybrid environments, heavy compliance demands, and extensive supply chains expanding their attack surfaces."
Web application penetration testing pays off over time
Successful AppSec initiatives are continuous, and no longer point-in-time activities. Results show that organizations that have run testing programs for at least three years saw reduced high-severity findings by 25%.
Financial services organizations are challenged with securing mobile apps
Within Coalfire's application risk data on financial services, high risk was a low 8%. However, NowSecure found that high risk for mobile apps was 37%, meaning mobile apps performed much worse than web or desktop apps.
More than 3,100 penetration tests show security misconfiguration is always the top vulnerability
Year-over-year consistency of the top application vulnerabilities shows that many companies:
Lack an understanding of their own asset inventory.
Continue using legacy systems that expose multiple vulnerabilities.
Have poor cyber hygiene.
Improvements in social engineering test results
For the first time ever, fewer than 50% of companies tested were compromised through social engineering tests, indicating progress in raising employee awareness and lowering the risks of human compromise.
Training gaps threaten FedRAMP Authority to Operate
While overall social engineering results show improvement, a lack of training, particularly around social engineering, accounts for 41% of all FedRAMP vulnerabilities—216% higher than in 2020.
Large CSPs are improving, but still carry the majority of high-risk vulnerabilities
Over the last two years, the large CSPs reduced high-level risk exposure by more than one-third. In contrast, smaller cloud companies saw a 15% increase in the number of vulnerabilities, primarily due to continuing misconfigurations and out-of-date software problems.
"CSPs operate in an industry that acutely depends on strong cybersecurity posture," said Jason Rowland, vice president of penetration testing and cloud services at Coalfire. "As CSPs build the enterprise digital backbone with prioritized risk management, we're seeing significant cyber improvements across not just the tech industry, but the overall economy."