Over the years, Citadelo has performed thousands of security assessments and penetration tests globally. This first-hand testing experience and the extensive sample size have allowed us to gain unique insights into the current state of cyber security and the prevalence of various vulnerabilities across different types of IT projects.
In 2021, the statistics we gathered from our own first-hand testing of over 275 projects revealed a total of 2,677 vulnerabilities of varying criticality. On average 50% of projects suffered from at least one critical vulnerability, and medium- to high-level vulnerabilities were found in nearly every project tested.
These results confirm the absolute necessity for comprehensive penetration testing for any IT project, regardless of vertical. The frequency and sophistication of cyber-attacks are constantly on the rise and penetration testing and full-stack security assessments are more crucial than ever in 2022.
In Citadelo’s penetration testing and full-stack security analysis, we identify a full range of project risks, from suggested best practices to critical vulnerabilities. We use the following risk types to categorize the vulnerabilities we identify, from lowest to highest risk:
On average, Note risks made up the highest proportion of vulnerabilities identified at 48%. These types of risks are still highly advisable to resolve but do not present an immediate threat to projects. Critical risks, on the other hand, made up just 5% of the vulnerabilities identified. However, these types of risks represent immediate threats to projects and must be remedied as quickly as possible.
Web-based projects (websites or APIs) were the most common type of project tested, comprising over 50% of all projects. As the most common project type, they also suffer the most total vulnerabilities.
Combined projects were the next most common at 15%. Consisting of several different types of sub-projects, this project type contained the highest average number of vulnerabilities.
Infrastructure projects made up 12% of projects tested and contained a higher number of critical vulnerabilities, likely due to the fact that internal infrastructure projects are not connected to the Internet, leading to a false sense of security.
Mobile projects made up 9% of projects tested and suffered primarily from “note” vulnerabilities, due to their associated client-side layers being included in our analyses.
Cloud projects continued to rise in 2021, which also made up a significant portion of the “combined” project types in our study. Similarly to internal infrastructure projects, clients undertaking cloud projects suffer from a false sense of security that led to a higher number of critical vulnerabilities.
The remaining portion of projects tested was largely made up of desktop apps, ATMs, and social engineering projects.
The following chart gives a full overview of the tests performed by Citadelo in 2021:
| Overall results | ||||||||
|---|---|---|---|---|---|---|---|---|
| Web | API | Mobile | Infra | Cloud | Combined | Other | Total | |
| Note | 631 | 67 | 196 | 115 | 55 | 174 | 44 | 1282 |
| Low | 232 | 24 | 43 | 62 | 118 | 120 | 36 | 635 |
| Medium | 125 | 13 | 22 | 32 | 50 | 84 | 20 | 346 |
| High | 89 | 10 | 15 | 19 | 55 | 58 | 20 | 266 |
| Critical | 54 | 4 | 3 | 21 | 14 | 42 | 10 | 148 |
| Total | 1131 | 118 | 279 | 249 | 292 | 478 | 130 | 2677 |
| Number of projects | 118 | 22 | 24 | 32 | 18 | 41 | 20 | 275 |
Citadelo provided penetration testing and security audits for a wide range of industries in 2021. While the vast majority of projects (35%) fell under the broadly defined Technology sector, clients from the field of Finance were not far behind, making up 33% of all projects tested. The remaining sectors were fairly evenly distributed, each making up between 3 and 7% of all projects tested.
The over 2,677 vulnerabilities we found present a snapshot of the current state of cybersecurity and the importance of penetration testing in 2022. While less serious errors made up the vast majority of vulnerabilities, the 148 critical vulnerabilities discovered could have resulted in catastrophic consequences had they not been immediately remedied.
Above all, an important common theme was highlighted by our data: whenever the importance of security or penetration testing is overlooked or underestimated, more vulnerabilities inevitably emerge. Whether it be internal infrastructure applications assuming they are safe because they are not connected to the Internet, or cloud service applications that assume the internal audits of their
providers are sufficient, the overarching lesson from this data is that you can never be too careful. Comprehensive penetration testing from experienced agencies like Citadelo is an essential component of any security solution, and its importance will only increase in the years to come.
Download the full report with all of our statistics and analysis here.
To take your project’s security to the next level, get in touch, and we’ll get our hackers on the case ASAP: sales@citadelo.com.
