Today we released a blog on ‘Vulnerability Statistics & Trends in 2015’. It was decided to write the post after receiving positive feedback at our Oasis event in May 2015. Andrew Turner, Sales Director and Ranulf Green, Senior Consultant provided our attendees with a market update sharing insight into what we've seen in the industry over the last 12 months.
Steve Lamb, a consultant at Context, analysed the statistics within our own penetration testing management database and discovered the following high level points within application and infrastructure tests:
The number of vulnerabilities discovered in application assessments remains consistent at around 9 findings per test, but infrastructure engagements show a decline in the number of vulnerabilities discovered (23.3 to 12.1 per test for external infrastructure, and 32.8 to 23.0 per test for internal infrastructure).
The proportion of high impact of vulnerabilities has also remained consistent for applications (16%), but again infrastructure shows a steady decline from an initially high starting point (20.2% to 8.2% for external infrastructure, and 28.9% to 15.9% for internal infrastructure).
The proportion of high impact vulnerabilities that are considered easy to exploit has remained consistent for both applications (~35%) and internal infrastructure (~85%) engagements, but external infrastructure, while still quite high (57%), has dropped in 2015.