Product comparison: Detectify vs. Qualys
Your responsibilities cover the full spectrum of risk—from the applications your teams build and the products you ship to the overarching compliance mandates you must …
Charlotte Kerridge
For starters, it’s no surprise that the findings revealed that organizations’ most prominent threats during 2023 are vulnerabilities not covered by common disclosure processes, like CVEs.
Detectify CEO Rickard Carlsson has been talking about this for some time – his article on the trouble with CVEs and vulnerability management in modern tech stacks demonstrates the risks associated with an overly reliant approach to established methods. And this was again evident in the data we collected for our report.
“Security teams spend valuable time on vulnerabilities that often don’t even have an exploit available while significant threats are overlooked,” Rickard says. “Effective prioritization will be key in 2024; organizations must reduce their vulnerability backlog by leveraging solutions that offer highly accurate findings and integrate their unique business context into the equation. One-size-fits-all strategies don’t fit the bill”.
We also learned that 75% of the total vulnerabilities regularly scanned by Detectify, primarily crowdsourced from its community of ethical hackers, didn’t have a CVE assigned. This again reflects how over-reliance on frameworks like the CVE program weakens organizations’ security posture and gives them an unrealistic sense of security.
Security teams spend valuable time on vulnerabilities that often don’t even have an exploit available while significant threats are overlooked
– Rickard Carlsson, CEO, Detectify
Furthermore, no critical findings were present in the Top 30 vulnerabilities for SaaS customers (as defined by the public security scoring system CVSS) used in the sample, again showcasing how score-based frameworks fail to help security teams comprehend the actual level of risk posed by threats in the modern AppSec stack, particularly in an industry that has one of the largest volumes of threats.
The report also outlines the most common vulnerabilities found across organizations’ attack surfaces in 2023 include SSL/TLS Hostname Mismatch, Expired Certificate, Path-based XSS, CVE-2021-40438 (Apache mod_proxy SSRF), and HTTPS/HTTP Mixed Content.
We also learnt that The Banking & Financial Services and Public Sector industries have experienced the largest share of critical-severity vulnerabilities due to their aggressive modernization efforts. SQL Injection was the most common critical threat for these industries, which may be attributed to the sensitivity of the data they store and how it’s frequently targeted by attackers.
Aside from CVSS continuing to be unrepresentative of the true risk vulnerabilities represent, here’s what else is ahead for 2024:
Prioritization based on high-fidelity assessments:
The prioritization of threats will continue evolving to rely on security teams trusting their tools to generate high-fidelity findings and effectively integrate those into their workflow to speed up remediation.
Leveraging the power of crowdsourced research:
We’ll continue seeing strong growth in the demand for solutions that crowdsource security research. Research from ethical hackers proves its value in democratizing and streamlining the response to threats, surpassing the limitations of established disclosure processes, as highlighted in our report.
A continued need for market education:
Security teams must continue to educate themselves on how EASM can complement their organization’s existing security stack, particularly around how EASM can fill the gaps missed by AppSec tooling.
Your responsibilities cover the full spectrum of risk—from the applications your teams build and the products you ship to the overarching compliance mandates you must …
Choosing the right DAST tool is a critical decision that shapes the effectiveness of their entire program. Detectify and Burp Suite Enterprise, exemplify the innovation …