With our research on testing security methods and Breach and Attack Simulation tools (BAS), we ended up with an interesting discussion about the role of the pentest. I think we can risk saying that pentesting, as it is today, will cease to exist (I’ll avoid the trap to say “pentesting is dead”, ok? :-)).
Let me clarify things here before everyone starts to scream! Simple pentesting, for pure vulnerability finding goals and with no intent to replicate threat behavior, will vanish. This is different from the pentest that many people will prefer to call “red team exercises”, those very high quality exercises where you really try to replicate the approach and methods of real threats. That approach is in fact growing, and that growth is one of the factors that will kill the vanilla pentest.
But to kill the pentest we need pressure from two sides. The red team is replacing the pentest from the high maturity side, but what about the low maturity side? Well, that’s where vulnerability assessments and BAS comes into play.
If you look at how pentests are performed today, discounting the red team style of exercises, you’ll see that it’s not very different than a good vulnerability assessment. But still, it’s different, because it involves exploiting vulnerabilities, and that exploitation can move the assessor to another point in the network that can be used for another round of scanning/exploitation. And that’s where BAS tools come into play.
BAS automates the simple pentest, performing the basic cycle of scan/exploit/repeat-until-everything-is-owned. If you have the ability to do that with a simple click of a button, why would you use a human to do that? The tool can ensure consistency, provide better reporting and do it faster. Not to mention requiring less skills (you don’t even need to know how to use Metasploit!). So, with BAS, you either go for human tests because you want a red team, or you use the tool for the simple style of testing.
But, you may argue, not everyone will buy and deploy those tools, so there’s still room for the service providers selling basic pentesting. Well…no! BAS will not be offered only as something you can buy and deploy on your environment. It will also, like all the other security tools, be offered as SaaS. With that, you don’t need to buy and deploy it anymore, you can “rent it” for a single exercise. This is simpler than hiring pentesters, and provides better results (again, I’m starting to sound repetitive, but excluding the really great pentests…). So, why would you hire people to do it?
In the future, your options for testing your security will be vulnerability scanning, BAS or red teaming. Each one with specific objectives, advantages and disadvantages, but there’s no need for people running basic pentests anymore.
If you currently use those simple pentests, do you see your organization eventually moving to this new scenario? If not, I’d love to know why!
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Let me know which audit firms will accept a BAS run in lieu of a “simple pentest” because that’s the reason why pentesting is in demand at all.
You are right. Silly compliance requirements will keep the demand for pentesting until the BAS results start being accepted. Businesses will put pressure on audit firms and regulators as the tools become more popular and they see that the results from the tools are the same, if not better, than the pentests hired just to check the box.
This article does not address all kinds of penetration testing, breach attack simulation will not be able to replicate business logic and authorisation bypass vulnerabilities that are very prevalent and can only be found by manual application security testing
We couldn’t agree more. For the past two years we’ve been developing our in-house BAS tool we named Infection Monkey ((https://www.guardicore.com/2016/07/infection-monkey-loose-2/). It’s a free open source attack simulation tool built to mimic a human attacker’s lateral movement using privilege abuse, safe exploits and more. We decided to create it when we discovered the need to educate our customers on how attackers really work inside the data center and hybrid cloud and why a new generation of security solutions is required. But this is a topic for another blog…
Our open source BAS supports all platforms including docker, AWS and Azure, installs easily and generates a report that includes a network map from the attacker’s point of view. What inspired us was Netflix Chaos Monkey introduced in 2011 🙂
Interesting blog and comments. As a company that offers a Crowdsourced Red Team solution we totally agree that red teams will replace traditional penetration tests. Researchers motivated by bounties are excellent at executing vulnerability discovery, and researchers guided by preset task payments are very effective at checking and completing compliance requirements. Tools are still an necessary component to help do continuous monitoring and help guide the Red Team. High maturity and low maturity are not two separate categories – it’s all about one effective technology enabled Red Team.