61% of organizations perform attack surface discovery to offset frequently changing assets in their attack surface and attack surface expansion, yet 40% of companies perform continuous attack surface management, a Bugcrowd survey reveals.
Only one out of five organizations surveyed qualified as a “leader” in how they execute attack surface and vulnerability management, while 49% ranked in the second tier as “fast-followers” and 39% ranked in the bottom tier as “emerging organizations.”
The survey discovered several key differences between leaders and other respondents in their strategy for attack surface and vulnerability management. Of note, 72% of leaders perform continuous attack surface management, signaling attack surface discovery frequency as a sign of maturity.
Augmenting security efforts with crowdsourced cybersecurity solutions
Organizations that qualify as leaders recognize their own limitations and are much more likely to supplement their security efforts with crowdsourced penetration testing and bug bounty programs than the fast-followers and emerging organizations.
In fact, 59% of leaders use bug bounty programs to discover previously unknown or undiscovered attack surface, compared to 43% of fast followers and 34% of emerging organizations.
Furthermore, 41% of leaders plan to use crowdsourced security platforms for penetration testing over the next 24 to 36 months compared to just 19% of fast followers and 27% of emerging organizations.
“This research demonstrates how COVID-19 spurred many organizations to accelerate their digital transformation efforts, thus increasing the size and complexity associated with managing their attack surface,” said Ashish Gupta, CEO, Bugcrowd.
“One factor really separated the more successful organizations from the rest of the pack: the leaders clearly lean more heavily on crowdsourced security solutions to augment their security efforts. This layered approach to security has significantly strengthened their ability to protect their attack surface and mitigate vulnerabilities.”
Distinguishing leaders from less mature organizations
Fast-followers and emerging organizations are far less proactive in performing attack surface and vulnerability discovery compared to leaders. For example, 72% of leaders conduct attack surface discovery on a continual basis, compared to just 52% of fast-followers and 3% of emerging organizations.
Additionally, 59% of leaders perform penetration testing for vulnerability discovery more often than once per month, while only 23% of fast-followers and 3% of emerging organizations do on the same frequency.
However, the less mature companies report higher confidence in their attack surface and vulnerability discovery tooling and technologies, demonstrating a lack of awareness of potential risk.
“There is a stark contrast between what the leaders are doing and what everyone else is doing, and the latter group should take note of the difference,” said Jon Oltsik, Senior Principal Analyst and Fellow, ESG.
“Leading organizations use a diverse combination of tools, automated processes, and integrated workflows to constantly look for problems in their attack surface and vulnerability management. They unify efforts across their organization and are proactive in taking necessary actions to mitigate any risks they discover.
“Perhaps most important, leaders are aware of their limitations and are much more likely to use bug bounties, crowdsourced penetration testing and other external services.”
To uncover security blind spots and stay ahead of rapidly evolving cybersecurity threats, organizations across all security maturity levels can embrace crowdsourced cybersecurity to protect their attack surface and remedy vulnerabilities before they can be exploited.