These are the findings that are contained within a report issued by Bugcrowd, titled ‘Attack Surface and Vulnerability Management Assessment‘. The research was conducted in partnership with analyst firm Enterprise Strategy Group (ESG). An attack surface refers to a set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter. Keeping the attack surface as small as possible is seen as a basic security measure.
The study identifies a defining factor that separated the more successful organizations from the rest of the pack. This is a reliance on crowdsourced security solutions to augment internal security efforts. The findings are drawn from conversations with over two hundred CISOs from around the world, looking at the measures taken to secure the attack surface, including how and when vulnerabilities are assessed. The report extends to covering penetration testing as a means of vulnerability discovery and the role of crowdsourced security for mature organizations.
This features in one of the statistics that can be drawn from the survey, which is that 61 percent of organizations perform attack surface discovery to offset frequently changing assets in their attack surface and attack surface expansion, yet less than half (40 percent) of companies perform continuous attack surface management. This is seen as a weakness by most cybersecurity professionals.
By continuous attack surface management, this refers to a platform that can detect and identify external facing assets with continuous security testing, alerts and reporting tools.
In contrast to firms that have not put appropriate systems into place, the more forward looking organizations are embracing a layered approach to security to protect their expanding attack surface and mitigate vulnerabilities before bad actors can take advantage of.
The survey did not place many organizations in this topic bracket, defined as “leaders” in relation to how companies execute attack surface and vulnerability management (only 20 percent of firms well into this grouping). Following this, 49 percent ranked in the second tier as “fast-followers” and 39 percent were ranked in the bottom tier as “emerging organizations.”