We’re excited to announce that Detectify has been included in the 2023 Gartner Competitive Landscape for External Attack Surface Management report. This report is an important resource for External Attack Surface Management (EASM) vendors and potential customers alike, as it provides the most up-to-date insights on the EASM landscape and how various vendors are approaching attack surface management.
Today, we’d like to dive into a significant topic discussed in the report: External asset discovery. On this point, Gartner states that external asset discovery — although a core capability of EASM — will no longer be a distinguishing characteristic of these products.
If this strikes you as odd, Gartner has reasons to back up this statement. In a nutshell, many EASM vendors now claim to provide asset discovery — to the point that it’s become ambiguous what vendors can actually discover. For example, some EASM vendors claim that they can identify all externally exposed assets but glance over the specifics like web components, cloud servers, or even physical devices. We recognize that this ambiguity can create issues and reduce team’s productivity in the long run.
In order to overcome this challenge, we need to go beyond asset discovery and look at EASM as something that can easily be integrated into an organization’s existing security capabilities.
Detectify’s experience in AppSec brings a unique perspective to EASM
At Detectify, we believe that security practitioners are enablers, not blockers. This means we focus on helping teams quickly resolve vulnerabilities and risks based on their unique risk threshold. This has led Detectify to take a bolder stance on how we see our comprehensive EASM platform providing value for AppSec and ProdSec teams.
Our experiences have demonstrated that EASM does not need to be a new spend category — instead, it’s important that modern organizations view it as a viable solution to replace existing AppSec tooling.
In Gartner’s report, Detectify was the only vendor in the landscape report to be profiled as part of the AppSec category. Detectify’s background in the application security testing space means its buyer persona extends to AppSec and ProdSec security teams who are focused on securing digital products and services.
As is stated in the report, “EASM complements AST because EASM can be used to automate the discovery of vulnerable applications. These can be applications that are not actively being managed by security because they are used by the developers within the organization that security is unaware of or because they have been abandoned or orphaned.”
How today’s AppSec tech stack isn’t meeting needs
AppSec tooling now needs to be able to work to accelerate remediation of the most important threats to an organization, rather than trying to squash every bug.
The current application security tech stack falls short due to common challenges, including developer experience, generic scoring systems, and the need for faster remediation times.
Fortunately, innovation coming out of the EASM space can help address questions related to these challenges, such as:
- Do my developers have the information they need to quickly resolve a vulnerability?
- Do I invest minimal time into deploying and managing my tooling?
- Do I know what I’m exposing online and if it’s vulnerable?
- Does my team quickly and efficiently remediate vulnerabilities that affect us the most quickly?
- Can I validate that my teams are following internal security policies?
EASM is filling gaps missed by existing AppSec testing tools
Current tooling available to AppSec teams contains several gaps, including spotting how well results can be integrated into existing developer workflows and assessing the frequency — or “freshness” — of vulnerability findings.
This is where EASM tooling fills the gaps missed by DAST and SAST by integrating results and offering continuous and up-to-date vulnerability findings. EASM tools, especially those like Detectify that focus specifically on AppSec teams, can monitor an organization’s attack surface daily as well as offer freshness of data — something that’s critical to allow AppSec teams to move quickly during remediation. These insights are communicated using developer-friendly tools like Slack and Jira, or alternatively, they can be completely consumed via an API.
Here are a couple tools included in Detectify’s best-in-class EASM platform that empower AppSec and ProdSec teams:
- Attack Surface Custom Policies: Completely customizable rules that monitor for policy breaches as they occur in production.
- Groups: A feature that allows users to organize assets, such as domains, according to any logic that best suits the way their team works.
Driving better actionability for AppSec and ProdSec teams
While Gartner states that “EASM is a net new spending for most organizations as it doesn’t replace any tools”, we’d like to make clear that through our solutions, Detectify continues to challenge this statement.
While EASM can certainly be added as part of a traditional application security testing toolkit, a majority of modern AppSec toolkits could be replaced with Detectify’s EASM solution.
Furthermore, EASM can integrate with an organization’s existing security capabilities to improve processes, such as vulnerability management, and it can also effectively drive better actionability through providing teams with the right tools to focus on what’s important.
To dive deeper into how current AppSec tooling is no longer helping AppSec teams achieve their goals and what these teams can do about it with the help of EASM, book a demo with our team.
For further insights on the EASM landscape and Detectify’s approach to external asset discovery, learn more about Detectify’s inclusion in Gartner’s recent report.