Cyber Security

Human error bugs increasingly making a splash in hacker-powered pen tests – report

Published

on

Ethical hackers have reported over 66,000 valid vulnerabilities through HackerOne this year, an increase of 22% from 2020.

The annual Hacker-Powered Security Report from bug bounty platform HackerOne, published on Wednesday (December 8), reports that digital transformation and cloud migration trends in the wider IT industry are continuing to throw up vulnerabilities as attack surfaces expand and services are outsourced.

Bounty prices for high severity and critical vulnerabilities are rising, meanwhile, as organizations prioritize high-impact bugs.

The report also found that organizations are remediating vulnerabilities faster than ever before.

Chris Evans, HackerOne’s newly appointed CISO and chief hacking officer, commented: “Organizations are catching issues earlier and remediating them at greatly reduced cost by focusing on improvements to developer education, source code integrations, and development frameworks.”

Digging deeper

HackerOne’s latest report provides telemetry that charts the progress of the bug bounty programs it runs for organizations in a variety of sectors across the world.

While traditional bug bounty saw a 10% increase in valid vulnerability reports, vulnerability disclosure programs (VDPs) saw a 47% increase, and reports from hacker-powered penetration tests rose by 264%.

In the past year, the industry-wide median time to resolution fell by 19% from 33 days to 26.7 days, with some industries such as retail and e-commerce seeing time-to-remediation dropping by more than 50%.

The most frequently discovered bug on HackerOne continues to be cross-site scripting (XSS), but other web security exploits have come back into fashion, and the overall picture is far from static.

For example, information disclosure saw a 58% increase in valid reports and business logic errors had a 67% increase, propelling the two vulnerability classes into the top 10 for the first time.

Christopher Dickens, security engineer at HackerOne, told The Daily Swig that these two classes of vulnerability were cropping up more regularly because they are the consequences of human error.

“Most testing these days is automated which, by its nature, misses vulnerabilities only humans can exploit,” Dickens explained.

“Running a bug bounty and having thousands of humans looking for bugs is going to lead to a higher percentage of business logic errors – the increase is likely down to both a mixture of new hacker focus and new, more complex bugs.”

Source: https://portswigger.net/daily-swig/human-error-bugs-increasingly-making-a-splash-in-hacker-powered-pen-tests-nbsp-report

Click to comment
Exit mobile version