Bugcrowd announced
the release of the Attack Surface and Vulnerability Management
Assessment survey, completed in partnership with analyst firm Enterprise
Strategy Group (ESG). The research found that 61% of organizations perform
attack surface discovery to offset frequently changing assets in their attack
surface and attack surface expansion, yet less than half (40%) of companies
perform continuous attack surface management.
Only one out of five organizations surveyed
qualified as a "leader" in how they execute attack surface and vulnerability
management, while 49% ranked in the second tier as "fast-followers" and 39%
ranked in the bottom tier as "emerging organizations." The survey discovered
several key differences between leaders and other respondents in their strategy
for attack surface and vulnerability management. Of note, nearly three out of
four leaders (72%) perform continuous attack surface management, signaling
attack surface discovery frequency is a sign of maturity.
Leading Organizations Augment Security
Efforts with Crowdsourced Cybersecurity Solutions
Organizations that qualify as leaders recognize
their own limitations and are much more likely to supplement their security
efforts with crowdsourced penetration testing and bug bounty programs than the
fast-followers and emerging organizations. In fact, 59% of leaders use bug
bounty programs to discover previously unknown or undiscovered attack surface,
compared to 43% of fast followers and 34% of emerging organizations.
Furthermore, 41% of leaders plan to use crowdsourced security platforms for
penetration testing over the next 24 to 36 months compared to just 19% of fast
followers and 27% of emerging organizations.
"This research
demonstrates how COVID-19 spurred many organizations to accelerate their
digital transformation efforts, thus increasing the size and complexity
associated with managing their attack surface," said Ashish Gupta, CEO,
Bugcrowd. "One factor really separated the more successful organizations from
the rest of the pack: the leaders clearly lean more heavily on crowdsourced
security solutions to augment their security efforts. This layered approach to
security has significantly strengthened their ability to protect their attack
surface and mitigate vulnerabilities."
Routine Penetration Testing and Attack
Surface Discovery Monitoring Distinguishes Leaders from Less Mature
Organizations
Fast-followers and emerging organizations are
far less proactive in performing attack surface and vulnerability discovery
solutions compared to leaders. For example, 72% of leaders conduct attack
surface discovery on a continual basis, compared to just 52% of fast-followers
and 3% of emerging organizations. Additionally, 59% of leaders perform
penetration testing for vulnerability discovery more often than once per month,
while only 23% of fast-followers and 3% of emerging organizations do on the
same frequency. However, the less mature companies report higher confidence in
their attack surface and vulnerability discovery tooling and technologies,
demonstrating a lack of awareness of potential risk.
"There is a stark contrast between what the
leaders are doing and what everyone else is doing, and the latter group should
take note of the difference," said Jon Oltsik, Senior Principal Analyst and
Fellow, ESG. "Leading organizations use a diverse combination of tools,
automated processes, and integrated workflows to constantly look for problems
in their attack surface and vulnerability management. They unify efforts across
their organization and are proactive in taking necessary actions to mitigate
any risks they discover. Perhaps most important, leaders are aware of their
limitations and are much more likely to use bug bounties, crowdsourced
penetration testing and other external services."
To uncover security blind
spots and stay ahead of rapidly evolving cybersecurity threats, organizations
across all security maturity levels can embrace crowdsourced cybersecurity to
protect their attack surface and remedy vulnerabilities before they can
be exploited. For more information, download the full report, Attack Surface and Vulnerability Management
Assessment.