2024 in Penetration Testing
Security Centric
Engineered Information Security: A business risk focused cyber and information security consulting firm.
This year in penetration testing, our team raised over 500 vulnerabilities across a huge range of clients and engagement types. With thousands of hours spent on testing (and countless spent on reporting), our Offensive Security Manager Jamie S. pieced together some statistics to showcase the breadth of our findings for the year, and some aggregated categories for our most common findings.?
Average Risk Rating: Medium
With an average risk rating of "Medium" (by CVSS score), our team has identified our fair share of impactful vulnerabilities for our clients, embodying one of our core values of "Make things better".?
Our Security Centric TOP 5
Broadly, our most common findings categories included:
Top 5 Categories:?
#1 Insecure Configuration
#2 Patch Management
#3 Information Disclosure
#4 Injection
#5 Client-Side Controls
The number of findings in each of these categories goes to show that risks and vulnerabilities don't always present themselves in the form of big ticket items like RCE, SQL Injection and Cross-Site Scripting. By far the most common findings we see are issues related to application configuration and patch management.?
Trust us, if your application maintains up-to-date dependencies, modern frameworks and employs secure configurations, you'll give most pentesters a good run for their money. Fortunately for our clients, we dig deeper than just versions and patching, with some of our most impactful findings relating to insecure direct object referencing, client side control bypasses, business logic bypasses and various injection vulnerabilities.
What about risk ratings?
Our 500+ findings breaks down as follows;?
Critical: 14
High: 44
Medium: 87
Low: 216
Informational: 142
The number of low and info findings shown here prove that the majority of vulnerabilities are low hanging fruit that come from easily avoidable patches or configuration changes, where the medium and greater findings (generally) stem from wider reaching, more complex vulnerabilities.?
Contact us!
If you or your organisation is in need of a penetration test, don't hesitate to reach out to our sales team Ryan Hitchen and Alex F.
Wishing everyone a safe and secure holiday break. To all of our clients, our team is looking forward to working with you all again in the new year.