We’ve been heads-down on several major reports over the past couple of months (hence the near radio silence), and the first of those has recently been published. Please check out Radware’s 2025 Cyber Survey: Application security at a breaking point (published June 12). This is the third year running we’ve had the privilege of working on Radware’s application security research, and this year’s research extends, expands, and tightens the nature of this annual research program.

From an extend perspective, the 2025 survey had a much higher focus on the role of AI in cybersecurity – from both the offensive and defensive sides. AI in cybersecurity has become a significant research area for Osterman Research, and each research program gives us the opportunity to refine our questions and contextualize those within a specific strand of the cybersecurity matrix. As you’ll see from the findings for this research program, the threat of AI being used to intensify hacking tradecraft is of highest concern to the organizations we surveyed. There’s a common set of refrains among respondents about the effect of AI on threat evolution, detection difficulty, and growing threat diversity. Unsurprisingly, there’s also a common refrain on strengthening application security defenses via AI-based cybersecurity solutions.

From an expand perspective, the research encompassed new threat areas we haven’t looked at over the past couple of research rounds. The major addition was API business logic attacks – a new class of threat – which is already being experienced with high frequency. On page 9 of the report, we say: Business logic attacks present an ideal opportunity for threat actors to use emerging offensive AI capabilities. For example, AI agents can automate the malicious exploration of API sequencing, looking for unexpected logic vulnerabilities and loopholes to exploit. Organizations should expect hackers to develop and share newly crafted playbooks to amplify threat opportunities. Our annual diagram on the cadence of different attack types portrays good news – in that average cadence is lower than our previous data set – along with a dire warning, in that the amplification of threat actor capabilities via AI is likely to increase attack cadence over the next 12 months.

And finally, from a tighten perspective, this year’s research doubled the number of organizations surveyed to allow a deep dive focus on two specific industries (financial services and healthcare) compared to all other industries. There are cohort-to-cohort comparisons throughout the report, with the interesting findings where financial services and healthcare are different to the overall data set or the other two cohorts noted. These are oriented around different attack patterns (page 6), API usage (page 7), documentation status (page 8), among others.

Please get your copy of the full report from the Radware web site.

Join the webinar on June 26

We will be presenting the key findings from our research with Radware later this week. The webinar is on Thursday June 26 – please register to attend. We’d love to have you there.

On Tuesday March 18, we spoke with Eric Schwake, Head of Product Marketing at Salt Security, about the research. The webinar is entitled – API and Application Security: A Critical Investment for Protecting Your Organization in 2025.

Click below to watch the recording.

The data comes from a survey of 268 CISOs and CIOs in the United States, at organizations with more than 1,000 employees. This is the second time we’ve run this research program. The first program was run in 2023, and this program builds on and extends our earlier research.

The key takeaways from this research are:

• Cybersecurity driven by changing threat response calculus
  Increasing prices for cybersecurity insurance, the growing use of AI in cyberattacks, software supply chain compromise, and return-to-office mandates for employees are the top trends and challenges driving how CISOs and CIOs approach cybersecurity in 2025. All force a reevaluation of how best to address current and emerging threats.
• Cloud infrastructure security, cybersecurity talent availability, and control and
  ethical processing of data top the priority stack
  Out of 24 potential investment areas for cybersecurity, two thirds of organizations assigned the highest priority to cloud infrastructure, internal cybersecurity talent, and compliant data processing. They see weaknesses in their current posture that are misaligned with where they want to be and are investing the resources to do something about it.
• Budgets continue to rise, showing resilience across economic cycles
  Almost all organizations have received a higher budget for cybersecurity over the previous two years, and most believe they could put even more budget to productive and effective use.
• Strong risk management disciplines make a significant difference
  Organizations with higher efficacy in managing the business risks associated with key cybersecurity areas such as applications, cloud, and identities show much higher commitment to address security weaknesses and are spending accordingly. Being able to see what is and isn’t happening drives change.
• Organizations must do the work to understand their priorities
  Investment priorities for any given organization must be set within the context of their current posture, real-world threat data, and known areas of concern (and unknown areas of weakness). This is the fundamental work that cybersecurity decision-makers and influencers must coordinate.

This research was sponsored by BIO-key International, OpenText, and Salt Security.

If your firm provides cybersecurity solutions AND you would like to spread this research to your customers and prospects, please get in contact to talk about licensing options.

David Rastatter, Sr. Director of Product Marketing, hosted the webinar. David and I talked about:

• The forces that organizations must contend with in the market, many of which pose a divide and conquer proposition.
• The drive by organizations for unification around strategic and higher-level objectives, such as operational excellence, customer experience design, and employee experience. These higher-level objectives can only be achieved if organizations find a way to harness their supply chain and trading partner ecosystem; their suite of legacy, current, and future app stack; and their response to an ever-changing regulatory environment.
• The role of automation and orchestration technologies in enabling organizations to address the polydynamic environment they face. With improvements in technology, organizations that have been using siloed solutions for different point capabilities will benefit from investigating newer, integrated and unified platforms.
• Several possible future developments in orchestration technologies, such as digital twins for simulation and advanced visualization.

Listen / learn / benefit.

Key findings from the report that were of interest here:

• Cobalt conducted 4,068 manual pentesting engagement during 2023, up 31% from the 3,100 it conducted in 2022. With 400 specialist pentesters on call, this averages out at 10 per pentester per year.
• Cobalt listed several reasons why pentest numbers increased: new regulatory compliance requirements, broadening of the attack surface, AI-generated code, the ongoing skills gaps at organizations, and budget reductions.
• AI is one of the major trends covered in the report. There are several concerning conclusions based on Cobalt’s observations. First, tools that increase the speed of software development (including AI features) lead to an increase in the number of security vulnerabilities found, NOT to better quality software. Second, in the rush to embrace “all things AI,” security measures are often overlooked during implementation and during the subsequent changes as models learn. Third, 70% of respondents indicated they had seen evidence of external threat actors using AI to increase the quality and severity of cyberattacks.
• The number of CVEs identified and catalogued in 2023 increased by 15% over 2022. The number of security findings discovered per Cobalt pentest engagement increased 21% in 2023 versus 2022. Some of this will be due to the increased number of CVEs, but not all of it. Cobalt’s pentesters appear to have higher efficacy at finding additional vulnerabilities, possibly due to reduced software quality via AI, better tooling from Cobalt, or more experience versus 2022.
• Large language models (LLMs) need to be tested. Cobalt offers this is a newish service. The three most commonly found vulnerabilities during LLM pentesting engagements in 2023 were prompt injection, model denial of service attacks, and prompt leaking where sensitive information is inappropriately disclosed.
• Organizations are taking longer to fix identified vulnerabilities and are fixing fewer of them, too. This net-nets to unaddressed vulnerabilities creating opportunities for compromise, breach, and other types of attack for a longer period of time – which is good for no one except threat actors.
• Layoffs and budget cuts have a devastating impact on software quality and vulnerability mitigation, along with the physical health and mental wellbeing of remaining staff (with C-level respondents indicating an even higher set of negative outcomes).

For more, get your copy of Cobalt’s report.

Here’s some notes on our briefing with Lisa Matherly (Chief Marketing Officer), Anne Nielsen, and Jason Lamar (Senior Vice President of Product) of Cobalt. The briefing was organized by Caroline Wong (Chief Strategy Officer) who was unable to attend due to other meetings at RSAC.

Key takeaways from our conversation:

• Cobalt offers a marketplace for pentesting. Companies that want a pentest performed engage with Cobalt to find a best-fit pentester based on matching their description of the pentest engagement with the skills, capabilities, and expertise of the pentesters available via the Cobalt marketplace. Cobalt calls its offering Pentest as a service (PtaaS). We wrote a report for Cobalt back in early 2020 on PtaaS.
• Becoming a Cobalt pentester is a non-trivial exercise. It is very hard to get into the program. Cobalt says it has more than 400 trusted security experts (pentesters) in their community, and they work with thousands of customers.
• Based on the value organizations have obtained from Cobalt’s initial PtaaS offerings, Cobalt is being asked to offer complementary services, such as threat modeling, source code review, and LLM review. Getting another set of eyes plus an external perspective on source code, for example, enables the identification of security issues much earlier in the application development lifecycle. That’s good for everyone (except bad actors).
• Cobalt published its sixth annual State of Pentesting Report just before the RSAC 2024 conference. It presents data from two data sets – 4,068 pentests in 2023 and 904 responses from security practitioners to a survey run from mid-March 2024. As would be expected, AI features prominently in the report.

For more, see Cobalt.

Here’s some notes on our briefing with Michael Callahan (Chief Marketing Officer) of Salt Security. The briefing was organized by Jordan Steffan of ICR Lumina.

Key takeaways from the briefing:

• Salt was founded six years ago with a focus on API security.
• APIs are a big deal, given how frequently they are used by applications to share information. Michael said that some companies see 4-5 billion API calls/month – a massive number – and the challenge is to be able to detect the bad calls.
• When Salt engages with a potential customer, many say they don’t even know what APIs they have. This is partly due to loose governance around API creation, lack of documentation, rapid change cadences, and ongoing app modernization. Hence, discovery of what is represents the first port of call for many customers. Optics and visibility first, control and oversight second.
• As APIs are discovered, Salt’s toolkit analyzes APIs for similarities. One reason for this is to highlight areas for rationalization of the number and diversity of APIs, thus driving standardization and reducing the API attack surface / threat scope.
• Salt’s toolkit also continually analyzes APIs for deviation from policy, such as the absence of up-to-date documentation.
• Michael demonstrated how a developer can use ChatGPT to write an API for a system, based on declaratives around requirements, etc. Within seconds of giving the prompt, a new API was written. While powerful, Michael’s point was that generative AI used for API development will greatly expand the number of APIs in use, and thus cross-API differentiation, and thus an increased attack surface / threat scope.

• Salt’s AI engine – called Pepper (as in, salt and pepper) – is used across the Salt platform for continuous discovery, posture analysis, and threat detection. Salt says Pepper is an “exhaustive investigator” in the discovery phase, even finding undocumenting APIs and those embedded in microservices. In  the posture analysis / assurance phase, Pepper analyzes for “deviations from security best practices and highlight[s] insecure configurations.” And in the behavioral threat protection phase, Pepper looks for the abnormal, anomalous, suspicious, and potentially malicious exploits and attacks.

For more, see Salt Security.

• Open Text Fortify Audit Assistant v2
  Open Text released version 2 of Fortify Audit Assistant, a static application security testing (SAST) tool. Leverages data collected over ten years of static analysis for training predictive models to identify vulnerabilities and minimize false positives, includes language-specific models for deep analysis, splits the SaaS and on-premises models to increase data privacy for on-premises deployments, and considers exploitability of potential vulnerabilities in rankings. PRNewswire
• Resecurity on election interference
  Resecurity published a threat intelligence report on election interference, noting “a growing trend of malicious cyber-activity targeting sovereign elections globally.” With 2024 being a critical year for elections around the world (49% of the global population are due to vote during the year), election interference or influence is of significant concern. Various reports, including Resecurity’s one, have seen a doubling of activity targeting sovereign elections. Resecurity says – ” … threat actors aim to sow uncertainty about the integrity of elections via operations that aim to disrupt and manipulate public opinion globally. Unfortunately, these incidents remain complicated from an investigation perspective and are often imperceptible to the public. Amidst historic geopolitical volatility and uncertainty, marked by escalating conflicts throughout the Middle East and Eastern Europe, securing elections from hostile cyber-threats has become vital to the preservation of the global democratic order.” Resecurity
• Anti-fraud features on Android devices
  In Singapore, Google is piloting an anti-fraud feature on Android devices that blocks apps that demonstrate malicious behavior. Specifically, apps that request a certain list of permissions that are known to be exploited by phishing attacks. “This enhancement will inspect the permissions the app declared in real-time and specifically look for four runtime permission requests: RECEIVE_SMS, READ_SMS, BIND_Notifications, and Accessibility. These permissions are frequently abused by fraudsters to intercept one-time passwords via SMS or notifications, as well as spy on screen content. Based on our analysis of major fraud malware families that exploit these sensitive runtime permissions, we found that over 95 percent of installations came from Internet-sideloading sources.” Google Security Blog
• Proofpoint lays off 6% of workforce
  Proofpoint, an email security vendor, trimmed 280 positions with the intent to move about half of the job roles to Argentina and Ireland by mid-2024. Driver was to cut management layers. Expectation is to end 2024 with the same number of employees as at the start of 2024. Bank Info Security

Presented on October 26, 2021

More than 90% of websites use third-party scripts and open source libraries for common functions such as payments, customer reviews, tag management and social media integration. But website owners lack visibility into this Shadow Code – scripts added without approvals or ongoing security validation – to know for certain that their site is safe from cyberattacks, introducing hidden risks into an organization.

Michael Osterman, President, Osterman Research Inc and Kim DeCarlis, CMO, PerimeterX discuss the hidden risk of using third-party scripts. Learn how to secure your modern web applications from supply-side attacks to avoid the risk of a data breach, ensure data privacy and comply with regulations.

The webinar covers:

• Vulnerabilities introduced by third-party scripts in your web applications
• Attack detection methods and challenges
• Visibility into code changes using third-party scripts

Sponsored by Cobalt Labs, Inc.

Executive Summary

This is the second of a three-part series of white papers focused on the essential best practice of penetration testing (pentesting), the goal of which is to identify and prove vulnerabilities within a system or application’s scope within a defined amount of time. As noted by Security Innovation Europe, pentesting “is the process of testing your applications for vulnerabilities, and answering a simple question: ‘What could a hacker do to harm my application, or organization, out in the real world?’”

Pentesting can involve a wide range of techniques and practices, including static and dynamic analysis, and includes things like SQL injection, cross-site scripting and backdoors in an effort to understand and exploit an application’s vulnerabilities. Pentesters will attempt to do things like intercept traffic, exfiltrate sensitive data or escalate user or admin privileges within applications to determine just how vulnerable an application might be to hackers and other cyber criminals.

Request a Copy