ejames@hackerone.com
Submitted by ejames@hackerone.com on

Limited Understanding of Assets, Outdated Testing Cadences, Lack of Technical Talent Main Contributing Factors

SAN FRANCISCO, April 19, 2022 — HackerOne, the world’s most trusted provider of ethical hacking solutions, today released The 2022 Attack Resistance Report that captures IT professionals’ assessments of their cyberattack readiness. The report reveals organizations face a significant gap between what they are able to protect and what they need to protect — coined the attack resistance gap.

The report, compiled from survey responses from enterprise organizations in North America and Europe, investigated four areas critical for organizations to increase their resistance to attack:

  1. An understanding of their attack surface 
  2. The cadence of application testing compared to release cycles
  3. The depth and style of security testing
  4. The availability of technical talent capable of carrying out these tasks 

Overall, organizations had a confidence score of 63% across a composite of these four areas.

"Awareness reduces risk. Only organizations who know their attack resistance gap are equipped to reduce it,” said Marten Mickos, CEO of HackerOne. “We conducted this research to illustrate the problem and show the way toward improvement. Organizations that broaden their scope of testing, and do it continuously, are seeing their attack resistance gap shrink."

One-third of respondents say they monitor less than 75% of their attack surface. Almost 20% of participants believe that over half of their attack surface is unknown or not observable, leaving them vulnerable to external threats, especially as digital transformation and development continue at an accelerated pace.

Additionally, 44% of organizations stated they are not totally confident that they can close the attack resistance gap. The cyber skills shortage exacerbates their ability to protect the full attack surface — 80% of respondents expressed concern about a lack of available skills and experienced security talent. 

The report demonstrates that siloed and insufficient testing of products adds further pressure on organizations, with one-third (33%) citing team silos as the main reason behind shortcomings in security testing and scanning tools. Development, security, and operations teams cite continuously changing requirements and priorities as their top two challenges, alongside technical and security debt in legacy systems. 

The over-reliance on security and scanning tools as a quick fix or a one-size-fits-all approach is also an area of concern. Data also demonstrated how many companies see Attack Surface Management (ASM) as a compulsory security exercise, rather than a strategic tool in their overall security plan. Only 22% of companies use ASM solutions to minimize exposed development infrastructure and weak, insecure, or deprecated crypto. 

Further details and regional comparisons are available in the report, which can be found here

Notes to the Editor

The survey conducted by HackerOne polled 800+ company IT executives responsible for security purchasing, across U.S. and European organizations. It aims to understand the impact that evolving application landscapes have on company attack surfaces and help organizations to close the security gap between what businesses own, and what they can protect.

About HackerOne

HackerOne empowers the world to build a safer internet by giving organizations access to the largest global community of highly skilled ethical hackers. Armed with an extensive database of vulnerability trends and industry benchmarks, the hacker community mitigates cyber risk by searching, finding, and safely reporting real-world security weaknesses for organizations across industries and attack surfaces. Customers include The U.S. Department of Defense, Dropbox, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Starbucks, Twitter, and Yahoo. HackerOne was ranked fifth on the Fast Company World’s Most Innovative Companies list for 2020.