Sanjay Nagaraj and Sudeep Padiyar
About the 2022 HackerOne Security Report
HackerOne released its 6th annual Hacker-Powered Security Report. The Company has been surveying ethical hackers to get their perspective on cybersecurity and risk. The 2022 Hacker-Powered Security Report includes insights from 5,700+ hackers and has a wealth of information for security and development teams.
Traceable’s Cofounder and CTO, Sanjay Nagaraj, and Director of Product Management, Sudeep Padiyar, compiled several insights that are relevant for security teams across all industries.
Read on to learn more.
The 2022 Hacker-Powered Security Report Highlights the Importance of Tackling Modern Day Vulnerabilities
The 2022 Hacker powered security report has now become one of the key reports that provides visibility into what drives the ethical hacker community, their focus, and insights on primary attack vectors for modern day threats.
One of the key observations of the report is that the most mature security organizations attract the most skilled ethical hackers. This is a healthy sign. As the maturity of Infosec and Product security teams increase, the nature and sophistication required from hackers to uncover issues is also increasing.
Lets go over some of the key summary points of the report and the implications to security professionals as they go about planning for strengthening their security posture in 2023 and beyond.
Median Time to Vulnerability Resolution
Unfortunately, the median time to vulnerability resolution increased for most of the verticals, as compared to 2021.
It demonstrates that despite increased reliance on automation and vulnerability management, the time to resolution and ensuring that new vulnerabilities do not get introduced with new software revisions, has trended in the wrong direction.
It clearly indicates that as attack vectors adapt with cloud native apps, APIs and the cloud infrastructure, the approach to address these vulnerabilities needs to evolve.
Top Vulnerabilities Uncovered by Ethical Hackers
It’s not a surprise that Cross Site scripting, Improper access control Insecure Direct Object reference (iDOR) which is now commonly referred to as Broken Object Level Authorization (BOLA), and Privilege Escalation, continue to be the top vulnerabilities enterprises are willing to pay higher bug bounties for.
As modern day cloud native apps are built for a wide variety of user roles, granularity of access to APIs, and more importantly the data that they access, has to be of primary concern both for development and security teams.
AuthN, AuthZ and improper access control based attacks are on the rise and it is of utmost importance that these are addressed in the API Security testing phase and compensatory controls are present at runtime protection for unpatched vulnerabilities and zero days.
Broken Object Level Authorization (BOLA) has rightly been called out by OWASP as the most common and impactful attack on APIs due to its high exploitability, ubiquity in APIs, the large potential for a data leak, and the ability for attackers to exploit this vulnerability in a wide variety of ways.
At Traceable, this has been one of the key vulnerabilities we protect against at runtime and it is also available in our API Security testing product.
API Security Becomes Top Attack Vector
APIs becoming the second highest attack vector that ethical hackers have been focusing at further reinforces the point of how significant APIs have become in the modern day attack surface management space.
The fact that it is higher than Android/IOS Apps, Open source, Operating system and cloud platforms is testament to the rapid increase in API usage. The vulnerabilities that can be exploited at this layer, have increased disproportionately, resulting in the need for API security, more than ever before.
At Traceable our focus right from founding has been to discover, protect and test for security vulnerabilities as early in the development phase as possible to help provide our customers maximum security all through the SDLC. As business logic specific exploits are on the rise we have added custom detections to protect against API abuse and data exfiltration using API DNA, behavioral baselining and anomaly detection to protect APIs at runtime.
Industries Hit the Hardest – Retail and Financial Services Are the Most Common Targets
The industries with largest exposure to sensitive data, financial information and compliance needs continue to be the top focus areas for ethical hackers. These verticals are also the ones where API usage has been increasing manifold every year due to rapid digital transformation, shift towards cloud native applications and heavy reliance on third party APIs.
The Bottom Line
For the past six years, HackerOne has been surveying ethical hackers to get their perspective on the cybersecurity landscape, the evolution of risk, and the approach needed to better secure our critical digital assets.
The latest approach further reinforces the significance of constantly updating the security mechanisms to protect against complex modern day attacks.
At Traceable, we continue to work with the ethical hacker community, pen testing teams, the OWASP and wider API security community to protect APIs from critical vulnerabilities.
Our mission is to protect every API, to help ensure the security of the services and data that power modern applications and that is further reinforced by this key report.
About Traceable
Traceable is the industry’s leading API security platform that identifies APIs, evaluates API risk posture, stops API attacks, and provides deep analytics for threat hunting and forensic research. With visual depictions of API paths at the core of its technology, its platform applies the power of distributed tracing and machine learning models for API security across the entire development lifecycle. Visual depictions provide insight into user and API behaviors to understand anomalies and block API attacks, enabling organizations to be more secure and resilient. Learn more at traceable.ai.
