A new report from Cobalt.io has found that there is a increasingly strong relationship between security and engineering in DevOps, in which software developers and information technology departments work closely together to create applications faster and better.

The State of Pentesting: 2020 report, released today, explores the state of application security, including insights from a survey of more than 100 practitioners in security, development and operations. Pentesting, short for penetration testing, involves simulated attacks on applications or networks to check security posture.

The report found that 78% of those surveyed reported a strong relationship between security and engineering in what its claimed to be representative of a transition organizations are making from DevOps to DevSecOps. A little over half of respondents said that their organizations pentest applications at least quarterly, while only 16% pentest annually or biannually.

Organizations are said to pentest many different types of applications with cloud environments continuing to present significant risk particularly with security misconfiguration. Just over half of respondents said they conduct pentesting on Amazon.com Inc.-based cloud environments alone. Notably, the report found that the most common type of vulnerability discovered is misconfiguration followed by cross-site scripting, authentication and sessions, sensitive data exposure and missing access controls

“As DevOps hastens the pace of software release, data and automation are essential to scaling security,” Caroline Wong, chief strategy officer at Cobalt.io, said in a statement. “With increased demand for pentesting and higher expectations for application security, the relationship between security and engineering hinges on operational efficiency through automation.”

While extolling the virtues of automated pentesting, the report also states that there are some exploits that humans are better at detecting, such as business logic bypasses, race conditions and chained exploits. Examples where both humans and software are best at working together include authorization flaws such as insecure direct object reference, out-of-band XML external entity, SAML/XXE Injection, DOM-based cross-site scripting, insecure deserialization, remote code exploitation, session management, file upload bugs and subdomain takeovers.

“As web applications become more complicated and scanners improve efficiency, this report reveals a widespread need for applying security fundamentals to complex problems,” said Vanessa Sauter, security strategy analyst at Cobalt.io. “Whether mitigating security misconfigurations or identifying business logic bypasses, a thorough understanding of system architecture and an ability to think both methodically and creatively proves essential to mitigating the most serious threats to application security.”

Image: Pxhere