A few months ago, we launched a survey focusing on transparency in penetration testing, designed to understand the specific needs of security teams and how we can help them optimize their pentest projects.
The initial results are in and we selected the most interesting findings for this blog post. Read on to learn about how confident security teams are when it comes to testing efficiency, the top features they want to see in a monitoring platform, and the metrics they prioritize for measuring success.
Most participants expressed a clear need for improved visibility into penetration tests. Only 18% of respondents reported high confidence in their pentest results (scores 9 and 10 on a scale of 10), indicating that a lack of real-time visibility is hindering their ability to assess security risks effectively.
60% of respondents experience challenges in determining the success of their pentest projects, saying it’s difficult to measure the overall success of the pentest and they have no way of making sure the pentest was comprehensive.
Close to two-thirds (65%) of respondents rely solely on information provided by the pentest vendor, with half only receiving updates after testing concludes. These limited insights make it difficult to assess the effectiveness of the pentest. Even more alarming, 13% of respondents don't track pentester performance at all. Thankfully, a more proactive approach exists, with 16% of teams leveraging analytics tools to gain deeper insights into their pentest processes.
These findings highlight the need for organizations to take a more active role in measuring pentest success and move beyond solely relying on vendor reports. The lack of confidence in pentest results also underscores the need for improved metrics and progress tracking. A higher level of transparency could demonstrate the comprehensiveness of the testing, enabling teams to effectively evaluate the impact of their pentests.
Beyond the overall success of a penetration test, security professionals expressed the need for more granular details. The overwhelming consensus (98%) highlighted the importance of explicitly showcasing OWASP’s TOP 10 attack types in the pentest report.
Understanding which functionalities were tested (e.g., file upload, input fields) and what attack methods were used (XSS, SQLi) are also paramount for 78% of respondents. Additionally, 70% of participants expressed the need to know the exact duration of testing.
While information on the number of testers involved (28%) and the number of HTTP requests made (16%) also provide value, there’s a clear focus on the specific functionalities and attack methods employed during the pentest.
Security teams need a simplified approach to interpreting pentest results. According to participants, the most useful feature of a monitoring platform is a centralized dashboard (67%) for easy access to all relevant information. This is closely followed by the need for automated audit report creation (56%), freeing up security teams from time-consuming manual reporting.
Real-time monitoring (54%) would further enhance efficiency by providing immediate insights into the testing process. Finally, instant notifications (39%) would keep teams informed of critical findings as they arise, allowing for quicker response times.
A clear disconnect exists between security leadership and their desired level of team involvement in pentest projects. A two-thirds majority (68%) of security leads expect their teams to be fully engaged and informed throughout the entire pentest project. This highlights the importance of real-time visibility and collaboration. Conversely, 20% believe a post-test review of results is sufficient. This lack of ongoing involvement can lead to missed opportunities to learn from the pentest and prioritize remediation efforts effectively.
The survey results clearly show that security professionals would require a more transparent and collaborative approach to pentesting. Improved visibility throughout the process, along with a focus on measuring key insights, such as OWASP TOP 10 attack types, attack methods, and vulnerability severity and coverage, can significantly boost confidence in pentest results.
By actively engaging security teams and prioritizing real-time metrics, organizations can leverage insightful penetration testing as a powerful tool to understand and strengthen their overall security posture.
Thanks again to everyone who participated in our survey! Your feedback serves as a guideline for us to continue building the features and functionalities of HackGATE™, increasing the level of transparency in penetration testing for security teams around the world.
