Gartner Blog Network


BAS and Red Teams Will Kill The Pentest

by Augusto Barros  |  February 14, 2018  |  6 Comments

With our research on testing security methods and Breach and Attack Simulation tools (BAS), we ended up with an interesting discussion about the role of the pentest. I think we can risk saying that pentesting, as it is today, will cease to exist (I’ll avoid the trap to say “pentesting is dead”, ok? :-)).

Let me clarify things here before everyone starts to scream! Simple pentesting, for pure vulnerability finding goals and with no intent to replicate threat behavior, will vanish. This is different from the pentest that many people will prefer to call “red team exercises”, those very high quality exercises where you really try to replicate the approach and methods of real threats. That approach is in fact growing, and that growth is one of the factors that will kill the vanilla pentest.

But to kill the pentest we need pressure from two sides. The red team is replacing the pentest from the high maturity side, but what about the low maturity side? Well, that’s where vulnerability assessments and BAS comes into play.

If you look at how pentests are performed today, discounting the red team style of exercises, you’ll see that it’s not very different than a good vulnerability assessment. But still, it’s different, because it involves exploiting vulnerabilities, and that exploitation can move the assessor to another point in the network that can be used for another round of scanning/exploitation. And that’s where BAS tools come into play.

BAS automates the simple pentest, performing the basic cycle of scan/exploit/repeat-until-everything-is-owned. If you have the ability to do that with a simple click of a button, why would you use a human to do that? The tool can ensure consistency, provide better reporting and do it faster. Not to mention requiring less skills (you don’t even need to know how to use Metasploit!). So, with BAS, you either go for human tests because you want a red team, or you use the tool for the simple style of testing.

But, you may argue, not everyone will buy and deploy those tools, so there’s still room for the service providers selling basic pentesting. Well…no! BAS will not be offered only as something you can buy and deploy on your environment. It will also, like all the other security tools, be offered as SaaS. With that, you don’t need to buy and deploy it anymore, you can “rent it” for a single exercise. This is simpler than hiring pentesters, and provides better results (again, I’m starting to sound repetitive, but excluding the really great pentests…). So, why would you hire people to do it?

pentest-killed

 

In the future, your options for testing your security will be vulnerability scanning, BAS or red teaming. Each one with specific objectives, advantages and disadvantages, but there’s no need for people running basic pentests anymore.

If you currently use those simple pentests, do you see your organization eventually moving to this new scenario? If not, I’d love to know why!

 

Category: future  pentest-and-red-teams  

Tags: vulnerability-assessment  

Augusto Barros
Research VP
3 years at Gartner
21 years IT Industry

Augusto Barros is Research VP in the Gartner for Technical Professionals (GTP) Security and Risk Management group. Read Full Bio


Thoughts on BAS and Red Teams Will Kill The Pentest


  1. Tangled Beard says:

    Let me know which audit firms will accept a BAS run in lieu of a “simple pentest” because that’s the reason why pentesting is in demand at all.

    • Augusto Barros says:

      You are right. Silly compliance requirements will keep the demand for pentesting until the BAS results start being accepted. Businesses will put pressure on audit firms and regulators as the tools become more popular and they see that the results from the tools are the same, if not better, than the pentests hired just to check the box.

  2. Rahul says:

    This article does not address all kinds of penetration testing, breach attack simulation will not be able to replicate business logic and authorisation bypass vulnerabilities that are very prevalent and can only be found by manual application security testing

  3. Ravit Greitser says:

    We couldn’t agree more. For the past two years we’ve been developing our in-house BAS tool we named Infection Monkey ((https://www.guardicore.com/2016/07/infection-monkey-loose-2/). It’s a free open source attack simulation tool built to mimic a human attacker’s lateral movement using privilege abuse, safe exploits and more. We decided to create it when we discovered the need to educate our customers on how attackers really work inside the data center and hybrid cloud and why a new generation of security solutions is required. But this is a topic for another blog…

    Our open source BAS supports all platforms including docker, AWS and Azure, installs easily and generates a report that includes a network map from the attacker’s point of view. What inspired us was Netflix Chaos Monkey introduced in 2011 :-)

  4. […] working on our research for testing security practices, and also about BAS tools, I’ve noticed that a common question about adding more testing is “why not putting some […]

  5. Interesting blog and comments. As a company that offers a Crowdsourced Red Team solution we totally agree that red teams will replace traditional penetration tests. Researchers motivated by bounties are excellent at executing vulnerability discovery, and researchers guided by preset task payments are very effective at checking and completing compliance requirements. Tools are still an necessary component to help do continuous monitoring and help guide the Red Team. High maturity and low maturity are not two separate categories – it’s all about one effective technology enabled Red Team.



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.