The report, compiled from survey responses from enterprise organizations in North America and Europe, investigated four areas critical for organizations to increase their resistance to attack:
An understanding of their attack surface
The cadence of application testing compared to release cycles
The depth and style of security testing
The availability of technical talent capable of carrying out these tasks
Overall, organizations had a confidence score of 63% across a composite of these four areas.
"Awareness reduces risk. Only organizations who know their attack resistance gap are equipped to reduce it,” said Marten Mickos, CEO of HackerOne. “We conducted this research to illustrate the problem and show the way toward improvement. Organizations that broaden their scope of testing, and do it continuously, are seeing their attack resistance gap shrink."
One-third of respondents say they monitor less than 75% of their attack surface. Almost 20% of participants believe that over half of their attack surface is unknown or not observable, leaving them vulnerable to external threats, especially as digital transformation and development continue at an accelerated pace.
Additionally, 44% of organizations stated they are not totally confident that they can close the attack resistance gap. The cyber skills shortage exacerbates their ability to protect the full attack surface — 80% of respondents expressed concern about a lack of available skills and experienced security talent.
The report demonstrates that siloed and insufficient testing of products adds further pressure on organizations, with one-third (33%) citing team silos as the main reason behind shortcomings in security testing and scanning tools. Development, security, and operations teams cite continuously changing requirements and priorities as their top two challenges, alongside technical and security debt in legacy systems.
The over-reliance on security and scanning tools as a quick fix or a one-size-fits-all approach is also an area of concern. Data also demonstrated how many companies see Attack Surface Management (ASM) as a compulsory security exercise, rather than a strategic tool in their overall security plan. Only 22% of companies use ASM solutions to minimize exposed development infrastructure and weak, insecure, or deprecated crypto.
