2023年渗透测试报告（英）

2023

PenetrationTesting

Report2023Penetration

TestingReportIntroductionSincepenetrationtestingencompassesagreatvarietyofsecurityassessments,tools,andservices,thereisnosetformulaforthecreationandmaintenanceofapentestingstrategy.For

thosewantingtosuccessfullyincorporatepentestingintotheirowncybersecurityprogram,thiscanpresentachallenge,withnoclearplacetolooktoasaguidingexample.••••In-housepentestingteameffortsandchallengesUsingandselectingthird-partyteamsEvaluatingpentestingtoolsetsIntegratingpentestingwithothersecurityassessmenttoolsWe’ll

showacomparisontotheresultsofthe2022surveyanduncovernewinsights,analyzingthegeneralevolutionandadvancementofthepenetrationtestingfield.In

general,cybersecurityhasbecometiedtoanorganization’sreputation,withabreachhavingthepotentialtoseverelydamagetheirstanding.Unfortunately,thiscancreateanenvironmentinwhicheveryoneisreticenttoshareanyaspectoftheirsecurityjourney.However,

knowledgesharingandanalysisisacriticalpartofdefiningbestpracticesandpresentingaunitedfrontagainstthreatactors.

Withoveradecadeofspecializedexperience,Fortra’sCoreSecuritydevelopedapenetrationtestingsurveyinordertogetabetterpictureofhowcybersecurityprofessionalsareusingpenetrationtestinginthefield,includingpentestingstrategiesandtheresourcesrequiredtodeployasuccessfulpentestingprogram.Nowinitsfourthyear,

thissurveycontinuestotrackyear-over-yearchanges,trends,challenges,andareasofimprovement.

Thedatacollectedprovidesvisibilityintothefullspectrumofpentesting’srole,helpingtodeterminehowtheseservices,tools,andskillsmustevolve.

Thisyear,

we

continuetoseeslightshiftsintherolepenetrationtestingplaysinthecybersecuritylandscapeandidentifyhowbroadertrends,liketheglobaleconomy,caninfluenceitsrole.Theresultsareexploredindetailinthisreport,providingvaluabledataonthefollowingkeyissuesrelatedtopentesting:•Top

securityconcernslikeransomware,phishing,andmisconfigurations•••Testing

frequencyandremediationComplianceconcernsPen

testingindifferentenvironmentsF22023Penetration

TestingReportReasons

for

Pen

TestingOrganizationspentestformultiplereasons,with69%reportingtheyperformpentestsforriskassessmentandremediationprioritization,62%forvulnerabilitymanagementprogramsupport,58%forcomplianceandexternalmandates,and40%forinternalorcompanyspecificmandates(Figure1).Riskassessmentandremediationprioritizationarefoundationaloffensivesecuritypractices,helpingidentifysecurityweaknessesinanITenvironmentanddeterminingwhichhavethemostpotentialforharm.

Thisprovidesguidancefororganizationsonwheretoallocateresourcesformitigation.

Thoserespondentswhoreportedsolelyusingpentestingforriskassessmentandremediationprioritizationmayberelyingonamoreadhocsecurityapproach.However,

riskassessmentisakeycomponentofanyvulnerabilitymanagementprogram,whichisanestablishedstrategyofidentifying,classifying,prioritizing,andremediatingweaknessesinanITenvironment.

Whileapenetrationtestwillalwaysprovidehelpfulinsights,organizationscanachievemorewithaformalizedprogram,inwhichtoolscanworkintandemtoprovidemaximumcoverageandimpact.Externalandinternalmandatesarealsorelatedtooneanother,inthattheybothsetcybersecuritystandardstowhichorganizationsmustadhere.

Thekeydifferenceisthatexternalmandatesaresetbyregulatorybodies,governmentagencies,orsomeotherentitywhileinternalmandatesarecompanyspecific.Becauseexternalmandatesareenforceablebylawandcanimposefinesorotherconsequences,theyaretypicallygivenpriorityoverinternalmandates,whichthedataseemstosuggest.However,

itisstillworthhavinginternalmandates,astheyarewrittenwiththespecificneedsoftheorganizationinmindandoftengobeyondthebaselineofcybersecuritythatissetbyexternalregulations.F32023Penetration

TestingReportReasons

for

Pen

TestingWhydoesyourorganizationperformpenetrationtests?69%62%58%40%8%RiskassessmentandremediationprioritizationVulnerabilitymanagementprogramsupportComplianceorexternalmandatesInternalorcompanyspecificmandatesOtherFigure

1:ReasonsforperformingpenetrationtestsF42023Penetration

TestingReportCommon

Security

ConcernsRansomware(72%),phishing(70%),andmisconfigurations(58%)wereonceagainthetopsecurityconcerns(Figure2)forsurveyrespondents.Accordingto

Verizon’s

2022

Data

Breach

InvestigationsReport,therewasa13%increaseinransomwarebreaches,accountingfor25%ofallbreaches.

Withransomwareonaseeminglyendlessupwardtrajectory,it’s

unsurprisingthatitisthemostcommonconcernthisyear.

Ransomwareisalsocloselylinkedwithphishing,withphishingemailsservingasthenumber

one

deliverymethodforransomwarepayloads.Alloftheseconcernsshareonethingincommon:theinescapablethreatthatemployeesinadvertentlyposetoorganizations.Additionally,unintentionalinternalthreats(54%)werethefourthtopconcern(Figure2).

Thisisalargecategoryofthreatsthatconsistofanyactionsfromemployees,contractors,orthird-partyvendorsthatinadvertentlyresultinsecurityincidents.

Thismayincludemisconfigurations,failuretofollowsecuritypolicies(i.e.strongpasswords,ignoringsoftwareupdates,etc.),orevenlosingone’semployeeIDcard.Thoughpartofthebroadercategoryofunintentionalinternalthreats,misconfigurationswereactuallyaslightlybiggerconcernforrespondents.

Thismaybeduetohowwidespreadthey’vebecome.AsITinfrastructurescontinuetogrowincomplexity,thereisthatmuchmorepotentialforerrorsandoversightsintheconfigurationofhardware,software,ornetworksettings.Unfortunately,misconfigurationsthrowthedoorforattackerswideopen,andwereultimatelyresponsiblefor14%ofallbreachesin2022.Supplychainattacks(44%),inwhichamaliciousactorcompromisesanoutsidepartnerorsuppliertoconductattacksagainstthesupplier’scustomers,canalsooccurasaresultofunintentionalinternalthreats.

Thisstrategyisincreasinglypopularamongstattackers.Infact,the

Verizonreportstatedthat61%ofsystemintrusionincidentsweresupplychainattacks.Unsurprisingly,ransomwareisoften

used

insupplychainattacks,makingtheconcernarounditallthemorejustified.F52023Penetration

TestingReportCommon

Security

ConcernsWhatcommonsecurityrisks/entrypointsareyoumostconcernedabout?2022202380%68%72%70%57%

58%55%54%55%43%49%44%43%29%26%26%25%17%n/an/an/an/aRansomwarePhishingMisconfigu-rationsInternalThreatsInternalThreatsLackofpatchingSupplychaincompromiseWeakpasswordsLackofencryptionLost/stolendevicesOrphanedaccounts(unintentional)

(intentional)Figure

2:CommonsecurityconcernsF62023Penetration

TestingReportGeneral

Pen

Testing

ChallengesFeelingsonthevalueofpenetrationtestingremainthesame,with94%ofrespondentsonceagainnotingthatpenetrationtestingisatleastsomewhatimportanttotheirsecurity(Figure4).ifallappearswell.However,

cybersecurityrequiresconstantappraisalandflexibility,readjustingandpivotingasattackersfindnewtechniques,tactics,andvulnerabilities.

This15%dropcouldreflectthattherealityofthecurrentthreatlandscapeissettingin.Whiletheviewontheimportofpentestingremainedsteady,thereweresomechangesinthechallengesthatarebeingencounteredinpentesting.First,troublegettingaqualifiedthird-partyisnotablyreduced,down15%from2022(Figure3).Pen

testingisarapidlygrowingmarket,withresearchpredictingtoseeamarketgrowthof$2.6

billion

by2030.

Thismeansmorethird-partyserviceofferingstochoosefromeveryyear.

However,

suchgrowthmakesitworthexercisingextremecautionwhenchoosingaserviceprovider,asthequalitywillvarygreatly.Manyfocusonbasic,routineteststhatareperformedwithapentestingtool,packagingitasacustomservice.It’s

criticaltofindapartnerwithexpertsthatcantailortheirtestsforyourneedsandgoals,andevenadviseyouonthedifferenttestingoptions.Therewasalsoaconcerningincreaseinthelackofresourcestoactonthefindingsofapentest,up23%fromlastyear(Figure3).

Whilepentestingisaneffectivemeansofdeterminingthequalityofanorganization’ssecurityandflaggingwhichweaknessesareputtingyoumostatrisk,theonlywaytoimproveyoursecuritypostureistofollowthroughwithactionsthatclosethosesecuritygaps,suchaspatching,reconfiguration,orimplementingnewpolicies.Penetrationtestingshouldnotbeseenasaboxtocheck,butratheramapthatneedstobefollowed.Equallyimportantisrepeatingpentestsaftertheremediationprocesstovalidatethatfixeswereproperlyimplemented.Lastly,whilethe15%dropinsecuritypostureconfidence(Figure3)mayappearconcerningatfirstglance,itisactuallybesttoerronthesideofcautionwhenitcomestocybersecurity.Overconfidenceoftentranslatesintostagnationandrigidity,feelingnoneedtoreevaluateF72023Penetration

TestingReportGeneral

Pen

Testing

ChallengesWhatchallenge(s)doesyourorganizationfacewithyourpenetrationtestingprogram?2022202358%45%38%36%35%31%29%30%12%10%TroublegettingexecutivesponsorshipandfundingfortheprogramInabilitytohireLackofqualifiedthirdpartiestodothetestingLackofresourcestoactonfindings/per-formremediationOtherenoughskilledpersonneltodothetesting(internal)Figure

3:PentestingchallengesF82023Penetration

TestingReportGeneral

Pen

Testing

ChallengesHowimportantispenetrationtestingtoyourorganization’ssecurityposture?20222023Howconfidentareyouinyourorganization’ssecurityposture?2022202376%73%56%53%43%38%21%18%6%

6%6%4%NotimportantSomewhatimportantImportantConfidentSomewhatconfidentNotatallconfidentFigure

4:ImportanceofpenetrationtestingFigure

5:ConfidenceinsecuritypostureF92023Penetration

TestingReportCompliance

and

Pen

TestingRegulationslikeHIPAA,

PCIDSS,SOX,

GDPR,ortheCMMCmandateappropriate

protectionofhighlysensitive

data,

likecredit

cardnumbers,

socialsecuritynumbers,

andotherpersonallyidentifyinginformation.

Pen

tests

are

notonlya

way

to

evaluate

anorganization’ssecurity

posture,

buttheycanalsohelpverify

adherence

to

theseregulations,

proving

to

auditors

orotherauthoritiesthat

mandatedsecurity

measures

are

inplace

orworking

properly.complianceneeds,illustratingtheinfluencecompliancecontinuestohaveonpentestingapproaches.Howimportantispenetrationtestingtoyourcomplianceinitiatives?20222023Thoughtherewasadeclinefromlastyear,

pentestingwasstillatleastsomewhatimportanttocomplianceinitiativesfor93%ofrespondents(Figure6).Interestingly,withanincreaseinthenumberofdataprotectionandsecuritylawsandregulations,pentestneedssurroundingcomplianceonlyseemtobegrowing.41%ofrespondentshaveincreasedthenumberofoverallpentestsinresponsetothesemandates(Figure7).71%62%Complianceinitiativesshownosignsofslowing,either.

TheEuropeanCommission

isrevisingtheGDPRin2023tostreamlinecross-borderinstancesofdataprotectionenforcement.Notonlyareexistingregulationsbeingcontinuallyupdatedtoincorporatenewmeasures,newlawsandregulationsarealsoemerging.For

example,in2022,nearly

every

US

state

putforthcybersecuritybills.Additionally,the2023

National

Cybersecurity

Strategy

includesaproposaltoexpandrequirementsforalloperatorsofcriticalinfrastructure.AccordingtoGartner,threequartersoftheworld’s

populationwillbeunderprivacyregulationsin2023.25%31%Whilesomehadtoincreasethenumberofpentestsinresponsetocomplianceinitiatives,othershadtoshifttheirstrategiesinsomeotherway,

whetheritwasexpandingthescopeoftheirtests(29%),addingmoreinternalstaff(23%),orplacingmoreemphasisoncertaintypesoftests,likewebapplication(35%)orsocialengineering(36%)(Figure7).Only16%ofrespondentsreportedthattherewasnoimpacttotheirpentestingstrategiesasaresultof7%4%ImportantSomewhatimportantNotimportantFigure

6:ImportanceofpenetrationtestingforcomplianceF102023Penetration

TestingReportCompliance

and

Pen

TestingHowhastheincreaseincomplianceregulation/mandatesaffectedyourpentestingstrategyorpriorities?41%36%35%32%29%27%25%23%16%16%4%IncreasedquantityofpentestsoverallMoreemphasisonsocialMoreemphasisonwebMoreBroadenedAddedConductedAddedMoreemphasisonNoimpactOtheremphasisthescopeofadditional

morenarrowly

additionalonnetwork

ourpentests

third-partyscopedpen

internalstaff

IoT

Securityengineering/

application

securitytestsphishing

testspenteststestsTestsFigure

7:ImpactofcompliancemandatesonpentestingstrategiesF112023Penetration

TestingReportPhishingWiththeAnti-Phishing

Working

Groupobservingarecord1,270,883totalphishingattacksinQ3of2022alone,it’s

unsurprisingthatphishingisatopsecurityconcernofrespondents(70%)(Figure2).Howoftendoesyourorganizationconductphishingsimulations?20222023Sincephishingisoneoftheoldestattacktacticsaround,howhasitremainedsopervasive?Ultimately,it’s

thehumanelementofphishingthathaskeptitremarkablyeffective.Peoplereceivesomanymessagesandemailsthatit’s

easytobecomecareless,clickingonlinkswhileyourmindiselsewhere.Othersoverlyrelyonspamfilters,whichattackershavebecomeadeptatevading.Spearphishingtechniqueshavealsoimproved,witheverythingseeminglypersonalizedandappearingsoauthenticthatevenacybersecurityprocouldbefooled.23%Ongoing19%15%23%MonthlyQuarterlyAnnuallyNeverThoughphishingattackswillpersevere,oneofthebestdefensesistokeeppeopleontheirtoes.Runningregularphishingsimulationexercisescanhelpserveasaregularinitiativetokeepusersvigilantandtrainthemtoexercisemoreprecaution.24%25%Withthisinmind,itwasencouragingtoseean8%increaseinmonthlyphishingsimulations(Figure8),whichisagoodcadencetopromoteongoingawareness.Newandexistingregulationshavealsounderscoredthethreatphishingposes,with36%ofrespondentsnotingthatcomplianceinitiativeshaveplacedanincreasedemphasisonsocialengineeringtests(Figure7).

Thismayalsobereflectedinthe16%increaseintheusageofthird-partytestingservicesforsocialengineeringtests(Figure19).20%17%18%16%Withgenerative

AI

makingsophisticatedphishingemailsandtextsthenorm,easywaystospotattackslikespellingandgrammarerrorsmaysoonbecomeathingofthepast.Instead,usersneedtoquestiontheintentoftheemailandwhethertherequestmakessense.Doyouoftenreceiveemailsfromthisperson?Isthishowanapplicationallowsasksyoutoauthenticateyourcredentials?Byrunningroutinephishingsimulationcampaignswithfollowupreportsandtrainings,organizationscanfosteracultureofhealthyskepticism.010

2030

40

50

60

7080

90

100Figure

8:FrequencyofphishingsimulationsF122023Penetration

TestingReportPenetration

Testing

FrequencyResultsforpentestingfrequencyhaveremainedconsistent.Asin2022,themajorityofrespondentsare,atmost,pentestingonlyafewtimesayear.

Whilerunningonetotwopentests(38%)isfarbetterthannothing(14%)(Figure9),itdoesraiseconcernsaboutretesting.Aninitialtestprovidesguidanceonremediation,butaretestiscriticalforensuringthesevulnerabilitieshavebeensuccessfullymitigated.Improperlyapplyingapatchmaynotjustleavethevulnerabilityintact,itcanalsoopennewsecuritygaps.Remediationvalidationshouldnotjustbeleftforthenextyear’s

roundoftesting.However,

whenresourcesarelimited,makingabusinesscaseforretestingmayprovedifficult.

Thisalignswiththefindingofrespondentsencounteringchallengeswiththelackoffollowup(58%)frompentests(Figure3).Howoftendoesyourorganizationpentest?2022202313%Never14%10%DailyWeekly8%7%8%Runningtoofewtestsisn’t

ideal,butrunningdailyorevenweeklypentestsmaybeimpractical,sincetheydorequirethealreadyscarceresourcesoftime,budget,andtalent.Inordertorundailypentests,youwouldneedtohavealargepentestingteam.Eventhen,theywouldlikelyonlybeabletorunsmallerpentestsondifferentpartsoftheinfrastructure—runningalargescopepentesteverysingledaywouldbeadifficultchallenge.However,

though8%ofrespondentsreporteddailypentesting(Figure9),just50%ofthoserespondentshadinternalteamsofmorethanfiveteammembers.For

theother50%,itmaybethattheyareinsteadreferringtothefrequencywithwhichvulnerabilityscansarebeingrun.

Vulnerabilitymanagementsolutionsaretypicallyhighlyautomatedandcaneasilybescheduledtorunonadailybasis,whilepentestingrequiresmoreadvanced11%12%17%20%MonthlyQuarterly42%38%planning.1-2timesayearThoserunningmonthly(12%)orevenquarterly(20%)tests(Figure9)aremorelikelytohaveachievedabalance,havingthemeansfortestingandretestingwithoutplacingastrainonresources.However,penetrationtestingfrequencyisaperfectexampleofwherebestpracticescollidewithrealworldpracticalities.Everysecurityteamwillhavetodeterminetheirneedswhilekeepingresourcesandbudgetsinmind.010

2030

40

50

60

7080

90

100Figure

9:FrequencyofpenetrationtestingF132023Penetration

TestingReportIn-House

Penetration

Testing

EffortsHavingpentestingcapabilitiesin-housecanquicklyexpandpentestingefforts,allowingformorefrequenttestsandcoverageofawiderscopeoftheITinfrastructure.It

alsoensuresthatchangestotheinfrastructurearemoreefficientlyassessedtoensurenewsecuritygapsaren’t

opened.

Thisyearshowsasmallamountgrowthofin-housepentestingefforts,witha7%increasefromlastyearinthenumberofrespondentswhohaveaninternalpentestingteamattheirorganization(Figure10).Curiously,thesizeofpentestingteamsseemstobefluctuating,withteamsbothgrowingandshrinking.

Whilethereisa21%increaseinthenumberofteamswith3-5members,thereisan11%decreaseinthenumberofteamswith1-2membersand10%decreaseinteamsof6ormore

(Figure11).Thedecreaseinlargerteamsmaybeillustrativeofthecybersecurityskillsgap,whichcontinuestopersist.Infact,accordingto(ISC)²’s2022

Cybersecurity

Workforce

Study,thecybersecurityworkforcegaphasgrownmorethantwiceasmuchastheworkforcewitha26.2%year-over-yearincrease.In

afieldwithsomanyjobopenings,itwouldn’tbeuncommonfortheretobemoreturnoverandinstabilityinteamsize.Pen

testingtoolsmaybehelpingoffsettheskillsgap,witha14%increaseinthenumberofrespondentswhocitedthatpentestingtechnologyhasatleastsomeinfluenceonanorganization’sdecisiononhavinganin-houseteam(Figure14).Whiletherewasanincreaseinthenumberofrespondentswithin-housepentestingteams,therewerestillmorerespondentswhoeitherhadlosttheirin-houseteamorneverhadonetobeginwith.Reasonsforthelackofanin-houseteamvary,withtopreasonsbeinginsufficientneed(48%),lackoftalent(36%),andlackoffunding(28%)(Figure13).Interestingly,thereisa12%decreaseinrespondentscitinginsufficientneedforafull-timepentestingteam.Thismayreflectagrowingacknowledgementoftheusefulnessofin-housepentestingteams,orevenpentestingingeneral.F142023Penetration

TestingReportIn-House

Penetration

Testing

EffortsDoyouhaveanin-housepenetrationtestingteam?20222023Howmanydedicatedteammembersdoesyourin-housepenetrationtestingteamhave?2022202353%48%41%41%42%40%37%19%18%14%14%11%14%7%YesNo,butwehaveinthepastNo,we'veneverhadanin-housepenetrationtestingteam1-23-56-10Morethan11Figure

10:In-housepenetrationtestingFigure

11:In-housepentestingteamsizeF152023Penetration

TestingReportIn-House

Penetration

Testing

EffortsWhatistheaveragenumberofyearsofexperienceyourin-houseteamhaswithpenetrationtesting?2022202356%34%32%24%22%19%3%10%1yearorless2-3years4-5years6ormoreyearsFigure

12:Yearsofexperienceofin-housepentestingteamF162023Penetration

TestingReportIn-House

Penetration

Testing

EffortsWhydoesyourorganizationnothaveanin-housepenetrationtestingteam?2022202360%48%36%34%28%

28%30%19%22%19%4%8%LackoffundingNotenoughneedtoemployafull-timepentester/teamLackofexecutivesponsorshipLackoftalent/skillsetLeveragethirdpartiesexclusivelyOtherFigure

13:Reasonsfornothavinganin-housepentestingteamF172023Penetration

TestingReportIn-House

Penetration

Testing

EffortsHowdoespenetrationtestingtechnologyinfluenceyourorganization’sdecisiontohaveornothaveanin-housepenetrationtestingfunction?2022202347%46%37%32%21%17%StronginfluenceSomeinfluenceNoinfluenceFigure

14:InfluenceofpentestingtechnologyF182023Penetration

TestingReportThird-Party

ServicesThird-partypentestingteamsremainapopularresource,with78%ofrespondentsleveragingthird-partyteamsinsomecapacity(Figure18).However,

therewasanoteworthyshiftindicatinganincreasedpreferenceforin-housetesting,witha16%dropinthosewhousedmostlyorexclusivelythird-partyservicesanda13%increaseinthosewhouseallormostlyin-housetesting(Figure18).

Thoughmanyassumeanin-houseteamismeantasareplacementforthird-partyservices,organizationsshouldideallyuseboth,soitwaspromisingtoseeevenamodest5%increaseinthosewhohaveanevensplitbetweenin-houseandthird-party.Lastly,thoughtheyareusedmostoftenfornetwork(81%)andapplication(65%)testing,itisworthpointingoutthatthird-partiesareutilizedby36%ofrespondentsforphysicalpentests(Figure19).Thesetestsinvolveattemptingtogainentrytoaphysicalfacility,system,ornetworkthroughtheexploitationofweaknesseslikedoors,locks,cameras,orotheraccesscontrols.Suchassessmentscanonlybecompletedbythird-parties,furtherhighlightingtheuniqueservicestheycanprovide.Whatmakesanevensplitideal?

Whileaninternalpentestingteamcanprovideregular,standardizedtesting,theyalsobecomequitefamiliarwiththeenvironmentthatthey’reassessing.

Thetopreasonthird-partyservicesaresolicitedisbecauseoftheirexternal,objectivepointofview(58%)(Figure15).Additionally,sincethird-partyteamsarefullyimmersedspecialiststhatcanstayuptodateonthelatesttrendsandtechniques,theyarealsofrequentlyutilizedtoapplydifferentskillsets(50%).

Wantinganimpartialassessmentandadiversityofskillsmayalsobeareasonforwhy76%oforganizationstendtochangeservicesatleastevery2-3years(Figure17).Therewasa13%dropintheuseofthird-partyservicesforcompliance.Asmentionedearlier,complianceregulationsareexpandinginnumberandcomplexity,sothismaybemoreofareflectionofteamsmanagingtheircomplianceneedsinternallyratherthanoutsourcing.Manyfalselyassumethatinordertomeetcomplianceneeds,third-partytestingisrequired.However,

thistypicallyisnotthecase.In

fact,PCIDSS,whichhassomeofthemostexplicitrequirementsforpentesting,doesnotstatethatathird-partytestisnecessary.Someorganizationsfindthird-partyservicesidealfordeterminingcomplianceneedsandobtainingstrategicsupportwithinitialtests.

Theythenusepentestingtoolstomaintaincompliance.F192023Penetration

TestingReportThird-Party

ServicesWhydoesyourorganizationutilizethird-partypenetrationtesters?2022202363%58%58%56%50%45%38%32%6%4%Togainanexternal,objectivepointofviewTomeetcompliancerequirementsToapplydifferentskillsetstotheenvironmentNotenoughskilledpersonnelinternallytodothetestingOtherFigure

15:Reasonsforutilizingthird-partypentestingservicesF202023Penetration

TestingReportThird-Party

ServicesHowoftendoyouconductthird-partypenetrationtests?2022202355%54%22%19%7%7%8%12%12%

5%3%4%OngoingMonthlyQuarterlyAnnuallyEvery2-3yearsEvery3+yearsFigure

16:Frequencyofthird-partypentestsF212023Penetration

TestingReportThird-Party

ServicesHowoftendoyouchangewhichthird-partypentestingserviceyouworkwith?2022202341%24%20%23%18%14%14%12%Never,weusethesameoneeverytimeEvery2-3yearsAnnuallyEverypentestweconductFigure

17:Rotationfrequencyofthird-partypentestingservicesF222023Penetration

TestingReportThird-Party

ServicesWhatisthecurrentsplitbetweenusinginternalandthird-partypentestingresources?2022202327%24%22%23%20%18%17%18%17%14%AllinternalMostlyinternalEvenlysplitMostlythird-partyAllthird-partyFigure

18:Splitbetweeninternalandthird-partypentestingservicesF232023Penetration

TestingReportThird-Party

ServicesWhchtypesofpenetrationtestsdoyouutilizethird-partytestersfor?2022202381%

81%68%65%48%46%44%36%33%30%23%22%4%3%NetworktestingApplicationtestingSocialengineeringCloudsecurityPhysicalpenetrationtestingIoTsecuritytestingOtherFigure

19:Typesofpenteststhird-partytestersarerequestedtoperformF242023Penetration

TestingReportOther

SecurityAssessment

ServicesDoyouuseanyoftheseothersecurityassessmentservices?Justasorganizationsmayhavecomplementarysolutionsintheiroffensivesecuritytoolkit,th