Recently, Gartner published the 2023 Hype Cycle for Security Operations.
Security operations technologies and services protect IT systems, cloud workloads, applications, and other digital assets from attack. They do this by identifying threats and vulnerabilities, and then taking steps to mitigate them. Security and risk management leaders use this Gartner research to develop and implement security strategies that are tailored to their needs.
As cloud architecture, open-source code and CI/CD evolve, this creates a larger attack surface and with it, a need for a more continuous, automated, and risk-based detection and management of vulnerabilities.
In their research, Gartner highlighted the concept of a CTEM program (Continuous Threat Exposure Management) as a key capability area which security and risk managers must include in their roadmaps. According to Gartner, “Exposure Management reduces the challenges organizations face inventorying, prioritizing and validating threat exposure that exist due to a rapidly expanding attack surface where traditional vulnerability management isn’t enough”.
Gartner points out that siloing exposure activities such as penetration testing, threat intelligence management, and vulnerability scanning offers little to no awareness of the full scope of risks the organization faces. Therefore, it is recommended to embrace a broader CTEM program, mobilizing the relevant organizational stakeholders, focusing on visibility and a risk-based, rapid response and reaction.
Let’s see how adopting a continuous expert-level PTaaS solution aligns with Gartner’s recommendations for users:
- When referring to Pen Testing as a Service (PTaaS), Gartner states that “PTaaS allows developers to talk to and receive guidance from pentesters instead of arguing with scanners”. A key feature of any PTaaS platform is a direct communication channel between developers and pentesters, enabling contextual discussions of vulnerability findings using the on-platform comments, and/or integrations with organizational productivity tools such as Slack, Teams and Jira.
- Another driver for PTaaS according to the research is the limited in-house security expertise, which requires external assistance to meet compliance and risk objectives. In many cases this calls for using expert security researchers, as opposed to “typically vetted freelancers” which might provide variable quality results.
- In the user recommendations section, the first advice is to create a mix of penetration testing, red team, automated testing and bug bounty / vulnerability disclosure program. It is better to get one vendor that can provide all of these, in order to get a comprehensive visibility.
- Favor hybrid scanning models that combine human analysis and automation to increase both effectiveness and efficiency.
- Select a PTaaS vendor that aligns with relevant compliance requirements, and not just focused on internet-facing infrastructure and applications. They also recommend Seek PTaaS vendors that provide customized and tailored guidance throughout the life cycle of their service to alleviate the security skills gap.
Finding such a mix of certified expert support, automated capabilities and an integrated platform is not easy, as many vendors lack at least one of these parameters.
When referring to EASM (External Attack Surface Mapping) which applies to discovery & monitoring of internet-facing assets’ for exposures from an attacker’s perspective and immediate remediation, Gartner recommends considering available capabilities from converging markets and existing vendors, as security testing, threat intelligence and broad security platforms all offer viable EASM features. Gartner states concern over “Already overburdened vulnerability management (VM) capabilities and teams concerned about adding to workload” which means that you would prefer some kind of a managed triage for the EASM findings.
Summary
Gartner’s 2023 Hype Cycle for Security Operations highlights the need for a more continuous, automated, and risk-based detection and management of vulnerabilities. The research recommends that organizations adopt a CTEM program (Continuous Threat Exposure Management) to reduce the challenges of inventorying, prioritizing, and validating threat exposure. Gartner also recommends adopting a PTaaS (Penetration Testing as a Service) solution to allow developers to talk to and receive guidance from pentesters instead of arguing with scanners. Finally, Gartner recommends considering available EASM (External Attack Surface Mapping) capabilities from converging markets and existing vendors.
Here are some specific recommendations from Gartner:
- Create a mix of penetration testing, red team, automated testing, and bug bounty / vulnerability disclosure program.
- Favor hybrid scanning models that combine human analysis and automation.
- Select a PTaaS vendor that aligns with relevant compliance requirements.
- Seek PTaaS vendors that provide customized and tailored guidance throughout the life cycle of their service.
- Consider available EASM capabilities from converging markets and existing vendors.
By following these recommendations, organizations can improve their security posture and mitigate the risks associated with a rapidly expanding attack surface.
About WASP
The WASP platform was built by OP Innovate to enable application security professionals to efficiently discover, assess, and manage their external and internal exposure.
WASP combines advanced penetration testing, attack surface mapping, code analysis and contextual vulnerability prioritization, with remediation solutions that integrate with the DevSecOps pipeline to deliver a full life cycle of vulnerability visibility and control.
Continuous proactive testing
Manage the dynamic attack surface (external & internal)
Highly skilled and accredited team members (CREST, OffSec, etc)
Respond to constantly emerging vulnerabilities and attack vectors
Centralize multiple sources of vulnerabilities
Reduce the alert fatigue of false positives