Now that the dust has settled on the annual 2016 Gartner Security and Privacy Symposium, we can look back through a clean lens and identify themes that bubbled to the surface of the different sessions. Although a critical mass of security leaders were in attendance, many were not. It is my hope that those who were not able to attend this year’s Gartner conference will be able to glean a few key trends that came out in this year’s proceedings.
Some background is warranted for those who have never been to Gartner… Within security circles, “Gartner” as it is simply known, has become one of three largest security conferences in North America, a solid third behind the annual BlackHat USA and RSA Conferences. In the run up to Gartner I found a great overview of security conferences written by Tech Beacon:
Surprisingly, Tech Beacon was nice enough to include quotes from a 2014 blog post that describes my first Gartner Symposium experience. It struck my 2014 self how different Gartner was from the other major security conferences, namely RSA and BlackHat. As you might imagine, Gartner was, and continues to be, far more corporate – way more blue blazers than Black Hat and RSA combined, and has a different general demographic. The conference also focused much less on the zero days and threat intelligence, which, I may say, was a relief.
What sets Gartner apart from the other conferences is its almost singular focus on the enterprise, with less emphasis on what to call the “attack side” of the business. There is no shortage of industry buzzwords, but RSA, and now Black Hat, are no better in that department. Even if we are reluctant to admit it, Gartner analysts influence the way we think about the industry and are pretty good at characterizing emerging security problems. In that regard, the 2016 Symposium did not disappoint.
Denim Group is a Gartner analyst relations client, so I regularly talk to the likes of leading industry analysts like Neil McDonald, Lawrence Pingree, and Ayal Tirosh. For me, it’s a once-in-a-year opportunity to share insights in person with analysts that cover your technology space, in my case this happens to be application security.
The challenge with Gartner, like many conferences, is that picking the sessions you plan to attend remains a complex process. I wasn’t able to attend every session, but I had a full agenda and covered in person what I could, catching other sessions highlights via Twitter (following the hashtag #gartnersec).
As I suspected, the many could not attend in person, so I took copious notes and reviewed the symposium Twitter stream upon my return home. Gartner’s big statement was that 60% of digital businesses will suffer major service failures due to the inability of security teams to manage digital risk. Many of the thoughts in various sessions flowed from the idea that one must be prepared for the inevitable.
What follows are some of the key takeaways that jumped out at me during the four days I spent at Gartner.
Separating the IoT Hype from Reality: As expected, IoT was a consistent theme during Gartner this year. In his session titled “Practical Steps to Manage Risk and Security in the Internet of Things,” Gartner analyst Earl Perkins kicked off the conference by drawing the parallel between IoT and Operational Technologies already deployed in many corporate environments. Gartner calls Operational Technologies” (or “OT”) everything that includes control systems, SCADA, and other types of sensors. In theory, if you can understand how OT works, you can better understand and prepare for IoT. With that in mind, three things regarding the security of OT, and by extension, IoT, stood out to me as either new or particularly interesting.
First, the security models for operational technology & IoT are radically different from the enterprise security model. Built and managed by engineers for resilience and up time, OT & IoT are focused on safety and availability, but are not really built to accept regular security updates like patches.
Second, the platform, protocols, and vendors for operational technologies are all different and new to security operators – be advised, a learning curve exists for most career security professionals. Seek out the one or two engineers in your organization that understand industrial control and learn everything you can from them.
Finally, IoT will have privacy issues as you’ve never imagined. Understand the features and functionality of IoT devices connecting to your enterprise so you understand the privacy impact. Know even more your company builds IoT devices and sells them. J On a side note, Earl has a webinar July 5th titled “Practical Steps to Manage Risk and Security in the Internet of Things” if you are more interested in the topic. “http://www.gartner.com/webinar/3337817?srcId=1-4554397745
Application Security is Still Mostly Improvisation. As an application security guy, I was keenly interested in Gartner’s update at this year’s Symposium. In general, the major thoughts were a continuation. During his “2016 State of Application Security,” Gartner analyst Ramon Krikken updated attendees on what clients ask him, and to a lesser degree, what trends he observes in the vendor community. The overall theme of Ramon’s session was that clients still have not “solved” the application security problem. As a matter of fact, they are still asking the most basic of questions, including “how do we find and reduce the security vulnerabilities in large numbers of internal and external apps?” Ramon also mentions that he consistently receives the question “how do I make appsec less of a burden on development?”
From those two basic questions, it was obvious that vendors and end clients are making incremental improvements in addressing application security, but by no means are prepared for a CI/CD/Agile world where the speed will greatly increase.
Four observations that stood out for me in Ramon’s session included:
The “train-test-fix” application security model won’t scale for DevOps. Agreed, and this worries lots of application security veterans, including myself. Do we throw out everything we know, and like Etsy and Netflix, wait until vulnerable applications make it into production and tear them down after the fact? Good questions…
Developers should build secure code, not security code. Architect systems so that security checks are external to business logic and built by security experts. I like the concept, but I’m not sure that’s the biggest problem on the ground where many companies still don’t have 100% testing coverage of their applications.
Future state application security will be standardized, externalized, and automated. Gartner has argued that promising technologies such as Runtime Application Security (RASP) and Interactive Application Security Testing (IAST) will enable organizations to address the application security problem via more automation. We agree, but the rapidly evolving landscape of application development languages and frameworks make any silver bullet technology elusive.
Adaptive Security Architecture and blockchains will redefine trust for digital businesses. Blockchains are no longer just about Bitcoin! Gartner views authentication and authorization on a sliding scale, given context and other factors. Blockchains will be incorporated in new trust models to help organizations interact with 3rd parties via different trust levels.
DevOps and Security
The last area of interest to me was Gartner’s refresh on everyone’s favorite “other” buzzword – DevOps. Senior Gartner analyst Neil McDonald delivered a presentation on what he is coining “DevSecOps,” the mashup of DevOps and security. He also released a “Gartner Top 10 Technologies for Information Security” http://www.gartner.com/smarterwithgartner/gartners-top-10-technologies-for-information-security during the Symposium. Neil provided a cautionary warning that security leaders should not lose the battle of perceptions by being a road bump on the path to DevOps progress. He predicted that by 2020, more than 90% of enterprise DevOps initiatives will have incorporated security controls, up from less than 10% at 2015. That seems like a no-brainer, but part of me wonders more broadly what percentage of companies will actually have made the jump to DevOps by 2020, let alone what percent incorporated security controls.
Of interest, Neil released a Gartner survey of 134 IT and security leaders that stated 41% of IT operations staff believed that security policies and teams are slowing IT down. Surprisingly, roughly 37% of security counterparts felt the same way about security polices and their own teams! I was quietly relieved that Gartner didn’t single out CIOs for this survey – I simply didn’t want to know that 100% of CIOs felt that security policies and teams were slowing down them down. In addition to these numbers, several other key takeaways stood out from the Symposium:
DevOps mistakes create the most common vulnerabilities. According to Neil McDonald, the most common DevOps related security vulnerabilities will come from mistakes – misconfigurations and mismanagement. That makes sense –you now scale your mistakes in a once unimaginable way! I think this points to the complexity of certain DevOps functions and the need for DevOps expertise before you step up you DevOps game.
Use Application Security Tools geared for rapid turnaround and high fidelity results. This is where I agree in concept, but in practice I have the most doubt. Enterprise clients still struggled with coverage issues – automated testing coverage and coverage of their entire application portfolios. Although RASP and IAST hold promise, I’m still not sure there’s an “Easy Button” here that both clients, and analysts, yearn for.
If infrastructure is becoming code, then secure coding principles apply to the templates, scripts, recipes and blueprints that drive configuration. One of Neil McDonald’s last key points was that application security must be scalable through the proliferation of secure templates, scripts, and recipes that drive configuration. He’s right, but here’s where automation falls short. I’d argue that what we’re discussing here is analogous to custom business logic and complex authorization rules – something that a smart appsec person needs to design up front. If you have an automation-centric view of solving the appsec problem, this area could be problematic.
To wrap up, the 2016 Gartner Security and Privacy Summit did not disappoint. There was much to absorb, and many sessions I wish I had attended. I’m still analyzing much of the post-Gartner analysis and chatter, and am more than willing to pass on additional perspective, if interested. Finally, if you are a Gartner client and interested, I can email or DM you the actual session links with presentation decks. Just email me at john at denimgroup.com or direct message me on Twitter (@johnbdickson). I’ll be glad to send you a link with more background on the sessions themselves.
There are other Gartner recaps that have made it up on the web. For their respective observations, visit:
Tenable Network Security Gartner Recap (https://www.tenable.com/blog/security-in-the-digital-age)