NEW FEATURE
Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.
NEW FEATURE
Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.

The State of Pentesting 2022: How Labor Shortages are Impacting Cybersecurity & Developer Professionals

Cobalt’s State of Pentesting 2022 report unearthed that teams have been struggling to fix and prevent the same vulnerabilities for at least the past five years in a row.

Both security and development teams are struggling with alarming talent shortages. It’s up to debate whether The Great Resignation is causing this problem, or exacerbating an issue going much further back in time. But what we do know with certainty is that teams are stressed, struggling to keep operations running at required standards, and many are thinking of leaving their current jobs.

This year, in Cobalt’s State of Pentesting 2022 report, we surveyed more than 600 security and development professionals and analyzed data from more than two thousand pentests to quantify the impact of the labor shortage on security and development teams. Here’s a look into what we uncovered.

What are the most common vulnerabilities?

Cobalt’s State of Pentesting 2022 report unearthed that teams have been struggling to fix and prevent the same vulnerabilities for at least the past five years in a row.

These top vulnerability categories include:

  1. Server Security Misconfigurations: 38% of 2021 findings
  2. Cross-Site Scripting (XSS): 13% 
  3. Broken Access Control: 11% 
  4. Sensitive Data Exposure: 10%
  5. Authentication and Sessions: 8% 

The majority of vulnerabilities stem from not staying on top of configurations, software updates, or access management controls – these are common and easily preventable security flaws. To proactively fix and prevent these vulnerabilities, both security and development teams need access to more resources, particularly manpower, which can be hard to come by thanks to talent shortages. 

The true impact of labor shortages on security teams 

As colleagues leave and roles stay open, teams are struggling to maintain security standards, particularly when it comes to compliance and supporting secure development. Vulnerabilities are more likely to slip past undetected, and teams are concerned they’re not ready to respond to cybersecurity attacks. Of note, a whopping 90% of respondents who have suffered shortages or lost team members are struggling with workload management!

Developers are feeling the burn, too

While security teams are looking to developers for help, development teams are equally dealing with the implications of the labor shortage. Only 7% say they have been adequately staffed for at least six months and expect to continue that way for the next six. The majority (97%) of developers say that these challenges make it harder to meet critical deadlines for feature launches, and 80% say that these challenges compromise the quality and security of developers’ code.

Talent shortages are straining security and developer collaboration 

Talent shortages are straining collaboration efforts between security and development departments. This slows teams down, both in fixing critical vulnerabilities and meeting launch deadlines. In addition, the quality of developers’ work drops, raising the chance that new code will bring in even more vulnerabilities. 

Of note: 

  • 96% of security teams see a slower response to patching critical vulnerabilities
  • 97% of developers struggle to meet critical launch deadlines 
  • 80% of developers say collaboration challenges with the security team compromise the quality of their code

The challenges our research found are difficult, but they’re not impossible to solve. Download The State of Pentesting 2022 for a closer look at what organizations can do to manage their vulnerabilities and retain talent amid The Great Resignation – and how Pentest as a Service (PtaaS) can help. 

Download the State of Pentesting 2022

 

Back to Blog
About Jay Paz
Jay has more than 12 years of experience in information security and 19+ years of information technology experience including system analysis, design, and implementation for enterprise level solutions. He has a robust background in developer supervision and training as well as in major programming languages, operating hardware and software, and major infrastructure application development. More By Jay Paz
Then & Now: One Year Pentesting at Cobalt with Arif
Arif (@payloadartist) joined the Core last April and shared his experience of how things have been for him at Cobalt for the past year.
Blog
Apr 17, 2022
New Cobalt Offering: Agile Pentesting for Faster, More Targeted Testing
Today, Cobalt announced Agile Pentesting, a new pentest offering that gives businesses greater flexibility and marks the next evolution in PtaaS.
Blog
Sep 7, 2022