TL/DR: Detectify’s Hack Yourself event in Stockholm is 24 hours away, which means that it’s time to catch up on what happened at our last event in late 2021. From Gartner including External Attack Surface Management (EASM) as the top trend in security to debating whether EASM will replace DAST including reflections on security culture and much more – this post sums up the takeaways from IT Security Specialist Jesper Larsson, Sprinkler Security co-founder David Jacoby, and Detectify CEO Rickard Carlsson’s thoughts on some of the most lively online security topics.
EASM: Is Gartner late to the party?
Included by Gartner in 2021 as a major cybersecurity category and an emerging product, the External Attack Surface Management (EASM) term might be new. Still, the idea behind it is nothing new: identifying risks coming from internet-facing assets that an organization may be unaware of.
A few companies, including Detectify, have been highlighting the importance of the attack surface and understanding the potential risks of the constantly-changing environment. Gartner’s addition of EASM as an emerging product demonstrates an increasing awareness of the necessity for organizations to be aware of the threats that exist through their internet-facing assets.
What are organizations doing wrong when it comes to security?
While today’s code-quality security is good, the sharing between each domain or principle is lacking, such as using infrastructure as code. Some people have become lazy, using other people’s templates and sometimes without knowing the security details. There is no technical depth (the rule now is; if it works, it works). Security metrics are valued by the exploitation that happens. We learn by being hacked, and that is not how it should work.
At the same time, while technical vulnerabilities are being detected, misconfigurations in applications are not so much. Things that have been existing for twenty years are still being exploited. The way we now look at IT security is more about what’s new, trendy, or cool. This threads with the way programming is learned today. It can be considered an evolution, like using dependencies or libraries. But the problem is that those are blindly trusted. Most of the backend runs code that is not written by yourself, yet you don’t mind. While newer programmers are tech-proficient, they might lack a security mindset.
Understanding pentesting vs. an automated hacker-powered tool
Penetration testing is a vulnerability detection mechanism that uses multistep and multivector attack scenarios to find vulnerabilities and attempts to exploit them. While some companies might be continuously pentesting, others don’t at all; this is often due to lacking security culture, budget limitations, or both.
There are different types of penetration testing. In most cases, the goal is to find specific vulnerabilities. However, the often forgotten scenario-based penetration testing assesses the performance of security controls against specific tactics instead of generic vulnerability discovery. Scenario-based testing is aligned with modern-risk frameworks, running risk control on the held assets. However, nowadays, assets are a delicate subject: are they self-hosted? Are they cloud-based? The responsibility is somewhat vague. Knowing what you are implementing is a good starting point.
Security as a matter of culture
From a broader perspective, security is not a tooling problem. It is a matter of education and visibility as well as the process of welding them, building the right culture, and strategizing. The key is being familiar with an organization’s threat model. Ideally, the tooling step comes after understanding the threat model and building a plan. The goal is to avoid a false sense of security and not blame the tool vendor for not obtaining the desired results.
Register today to attend Hack Yourself Stockholm, the event that brings together top ethical hackers, industry thought leaders, and practitioners to discuss trends, challenges, and opportunities around External Attack Surface Management (EASM). Join speaker sessions from hacker and content creator STÖK, hacker and researcher David Jacoby, Klarna’s Lead Offensive Security Engineer Stuart McMurray, and Detectify’s Security Researcher Kursat Cetin. To understand the challenges of coping with an ever-expanding attack surface, come to our panel discussion with experts from Klarna, Visma, and Detectify.
Meanwhile, if you want to keep up with today’s cyber threats, you need continuous security integrated with development. If you’re not already a customer, click here to sign up for a free trial and immediately start scanning or get in touch with our customer success team through firstname.lastname@example.org. Already have an account? Log in to check your assets. Go hack yourself!