F5 Labs is a dedicated security research team at F5 whose mission is to empower security practitioners with data-driven research. This broad remit, combined with the growing specialization in cybersecurity, also leads the group to work with different kinds of security specialists depending on the subject at hand. The F5 Labs team recently collaborated with the Cyentia Institute, industry leaders in security data science, to publish a new report: The State of the State of Application Exploits in Security Incidents. That name’s not a typo—this report is a meta-analysis of several prominent industry reports, each of which covers the state of application security, hence the name, ‘the state of the state of.’ The goal is to evaluate the degree of consensus and clarity within the world of application security researchers.
In the usual rigorous Cyentia style, the report breaks down methodologies and conclusions from reports that approach the core question of application security from slightly different angles. Some of the report’s sources focus on data breaches specifically, and one of them has narrowed down even further to data breaches of a certain size and impact. A large number of industry reports used the MITRE ATT&CK® framework to focus on attacker tactics and techniques. Others are focused on vulnerabilities, where Cyentia had to work the hardest to align the different results into something that could be compared and evaluated.
Superficial findings of the analysis indicate that the field of application security reporting is disjointed and ill-organized. Many of these reports use different taxonomies, inconsistent definitions and terminology, or proceed from differential assumptions, making it difficult to compare even two different reports on any meaningful level. When we simplify the different methods enough to compare them, the findings are generally so mundane as to be considered common sense, such as the observation that web exploits are useful to attackers.
However, scratch beneath the surface a little bit, and each of these different reports arrives at similar conclusions and recommendations, meaning that no matter how we approach the question of application security, we arrive at roughly the same mission. Viewed in this way, the state of the state of isn’t quite as chaotic as it might appear. The report also features the eye-catching and thought-provoking data visualization we’ve come to expect of Cyentia, as well as their quirky, understated sense of humor. Check out the full report and bask in the glory of meta-analysis at its best.