State of EASM Report from Best-in-Class Player Reveals Shortcomings with CVE-overreliance and Flaws in Security Scoring Systems
STOCKHOLM & BOSTON – December 12, 2023 - Detectify, the External Attack Surface Management platform powered by elite ethical hackers, has today released its “State of EASM 2023” report. The research incorporates insights from Detectify’s customer base and provides a snapshot of the threat landscape faced by core industries and regions that Detectify serves. Findings reveal that organizations' most prominent threats during 2023 are vulnerabilities not covered by common disclosure processes, like CVEs, and demonstrate the risks associated with an overly reliant approach to established methods.
Noteworthy findings from the report include:
- 100% of the top three vulnerabilities found across all industries were not covered by a CVE. Additionally, 75% of the total vulnerabilities regularly scanned by Detectify, primarily crowdsourced from its community of ethical hackers, don’t have a CVE assigned. Over-reliance on frameworks like the CVE program weakens organizations' security posture and gives them an unrealistic sense of security.
- No critical findings were present among the Top 30 vulnerabilities for the Internet Software (or SaaS) industry, as defined by the public security scoring system CVSS. This finding shows how score-based frameworks fail to help security teams comprehend the actual level of risk posed by threats in the modern AppSec stack in an industry that sees one of the largest volumes of threats.
“Our research evidences the flaws of established systems like CVE or CVSS. Security teams spend valuable time on vulnerabilities that often don't even have an exploit available while significant threats are overlooked," said Rickard Carlsson, CEO, Detectify.
Effective prioritization will be key in 2024; organizations must reduce their vulnerability backlog by leveraging solutions that offer highly accurate findings and integrate their unique business context into the equation. One-size-fits-all strategies don’t fit the bill.
Rickard Carlsson, CEO, Detectify
Additional findings of the research include:
- The Banking & Financial Services and Public Sector industries have experienced the largest share of critical-severity vulnerabilities due to their aggressive modernization efforts. SQL Injection was the most common critical threat for these industries, which could be attributed to the sensitivity of the data they store and how it's frequently targeted by attackers.
- The overall most common vulnerabilities found across organizations’ attack surfaces in 2023 include SSL/TLS Hostname Mismatch, Expired Certificate, Path-based XSS, CVE-2021-40438 (Apache mod_proxy SSRF), and HTTPS/HTTP Mixed Content.
The full and interactive State of EASM 2023 report is available at https://stories.detectify.com/the-state-of-easm/
Note to Editors
This research analyzed the findings from 235 enterprises and mid-market organizations across 30 countries. Detectify found a total of 361,028 vulnerabilities in this sample.
This research analyzed the findings from 235 enterprises and mid-market organizations across 30 countries. Detectify found a total of 361,028 vulnerabilities in this sample.
About Detectify
Detectify sets the standard for External Attack Surface Management (EASM), providing 99.7% accurate vulnerability assessments. Product security and AppSec teams trust Detectify to expose exactly how attackers will exploit their Internet-facing applications. The Detectify platform automates continuous real-world, payload-based attacks crowdsourced through its global community of elite ethical hackers, exposing critical weaknesses before it’s too late.
Go hack yourself: detectify.com.
Media contacts
Jorge Vicente
PR & Communications at Detectify
+46761146350
press@detectify.com
Detectify sets the standard for External Attack Surface Management (EASM), providing 99.7% accurate vulnerability assessments. Product security and AppSec teams trust Detectify to expose exactly how attackers will exploit their Internet-facing applications. The Detectify platform automates continuous real-world, payload-based attacks crowdsourced through its global community of elite ethical hackers, exposing critical weaknesses before it’s too late.
Go hack yourself: detectify.com.
Media contacts
Jorge Vicente
PR & Communications at Detectify
+46761146350
press@detectify.com