Capitol Wheel, outside the Gartner Security & Risk Management Summit 2018
13 June 2018

Gartner Hugs Hackers – Crowdsourced Security, Bug Bounties, and more at the Gartner CISO Summit 2018

Rajesh Krishnan

Capitol Wheel, outside the Gartner Security & Risk Management Summit 2018Did you miss the Gartner Security & Risk Management Summit last week, where 3,300 CISOs and their teams gather each year? Synack didn’t. With more than 100 sessions, no one can catch everything, so we’ll share our highlights for topics that touch on security testing, application security and the debut of crowdsourced testing research at Gartner!

APIs and Microservices-Led Architectures

The surging importance of API and microservices was evident. In particular, Gartner analysts such as Dale Gardner noted web application security techniques are not 100% transferrable to API security testing. In our own API security testing, we build in a scoping exercise for both evaluating known calls, plus the key workflows, plus the unexpected workflows that can be created from using API calls in unexpected ways.

Automation

If the event had a word cloud, Automation would be in 72 point Impact Font. This is driven by all the security products at the expo doing what they do plus generating data. Correlating and evaluating it all is now table stakes across the security stack, but making it integrate with your workflows is not. Some technologies were more advanced in their use of automation, like SIEM, growing at 10% CAGR per Toby Bussa. Other security categories, such as vulnerability management use automation less due to the wide variety of data sources. Bussa also reminded attendees of the expected automation of low-end security functions in his SIEM talk.

Breach & Attack Simulation

Breach and Attack Simulation (BAS), the Gartner category, received much more attention this year than in past years. The major use case was for testing your detection and prevention, not necessarily replacing existing security practices. They actually buck the trend on the use of AI – they, in a way, brute force attack replays.

A main use case is to complement penetration testing. My favorite quote from the week on this topic: “Pen Testing says ‘Can I get in?’ BAS says ‘Does my security work?’” Some analysts, like Augusto Barros, go farther and say that simple pen testing gets crushed by BAS in future.

Crowdsourced Security Testing Platforms

Gartner debuted research on the growing field of Crowdsourced Security Testing by coining the term Crowdsourced Security Testing Platform provider – or CSSTP. This category includes bug bounty and we hope is the beginning of more reports addressing the Landscape of Crowdsourced Security Testing (available for free).

As many Gartner reports do, it starts with a clear and testable projection. In this case, the prediction is that automated and CSSTP products and services will grow to be the majority of the penetration testing market within 5 years. The report covers the many ways to crowdsource. This includes platforms (such as Synack), self-run programs (such as Microsoft), and community programs (as frequently seen in open source and blockchain). Crowd skill, corporate governance, and general effectiveness are cited as contributing to growth.

Gartner subscribers with appropriate access rights can find their new Emerging Technology Analysis report here (author: Dale Gardner, with a D) and we recommend that you do. That’s not just because Synack and its 2018 new releases for Attacker Resistance Score and Compliance are noted by name, though they are. It’s a thoughtful piece on this growing corner of the security marketplace, with a bold prediction on just how much of standard penetration testing market will fall to this innovation.

DevOps, DevSecOps, and Containers

On to Containers and DevOps. The best two-word quote from the whole week: “DevOps won.” The defenders of waterfall software development have been washed away. Instead, it’s a matter of every organization’s journey to DevOps at widely differing levels of speed. And with DevOps comes DevSecOps, which is in the Gartner Hype Cycle for Application Security. For those familiar with hype cycles, it neatly displays the path that technologies go through. Eachemerges, gets overhyped, then reality and long-term productivity set in.

We see the same trends for DevOps. In fact, more and more of our customers use Synack for vulnerability discovery behind their firewalls with our site-to-site technology. That extension of our robust, mature LaunchPoint gateway for measuring and monitoring security research allows trusted, controlled research to happen earlier in the development cycle.

I felt that after years of being just outside of the spotlight, Container Security is going to be dragged into the mainstream with these trends. It is just a natural extension of CI/CD growth as well as hybrid cloud environments to take advantage of them. Containers challenge SAST/DAST tools in particular, and leave more room for specialized tools and testers to take up the load.

Interested in more? Did you attend? Take the conversation to Twitter with @synack and #gartnerSEC.

Rajesh F. Krishnan