This is part 2 of a series, click here for Part 1
Penetration testing solution and market changes
I’m not exactly sure when Core Security Technologies and Immunity started business, but before then there were no dedicated commercial penetration testing tools. There were a number of vulnerability scanners, and plenty of different “micro” tools to help with different parts of a pen test, but no dedicated exploitation tools. Metasploit also changed this on the non-commercial side. For those who aren’t experts in this area, it’s important to remember that a vulnerability assessment is not a penetration test – vulnerability assessment determines if a system may be vulnerable to an attack, while penetration testing determines if that vulnerability is exploitable.
Update- Ivan from Core emailed that they started as consulting in 1996, and the first version of Impact was released in 2002.
Rather than repeating Nick Selby’s excellent market summary of the three penetration testing tools providers over at IANS, I’ll focus on the changes we’re seeing in the overall market.
- The market is still dominated by services, with quality ranging from excellent to absolute snake oil. Even using a tool like Core, by far the most user-friendly, you still need a certain skill level to perform a reasonable test.
- The tools market is increasing, as Core and Immunity have experienced reasonable growth, with extensive growth of the Metasplit user community.
- Partnerships between vulnerability assessment vendors and penetration testing solution providers have grown. This was pretty much completely driven by Core until the Metasploit acquisition by Rapid7. Core partners with Tenable, Qualys, nCircle, IBM, Lumension, GFI, and eEye. Update- Immunity partners with Tenable, I missed that in my initial research.
- Web application vulnerability assessment tools (and services) almost always include some level of penetration-testing capabilities. This is a technology requirement for effective results, since it is extremely difficult to accurately validate many web application vulnerability types without some degree of exploitation. VA tools tend to restrict themselves to prevent damaging the application being tested, and (as with nearly any vulnerability assessment), can normally be run against non-production targets with less safety, in order to produce deeper and more accurate results.
- Any penetration test worth its salt includes web applications within the scope, and pen testing tools are increasing their support for web application testing.
I expect to see greater blurring of the lines between vulnerability assessment and penetration testing in the web application area, which will spill over into the infrastructure assessment space. We’ll also see increasing demand for internal penetration testing, especially for web applications.
Core will increase its partnerships and integration on the VA side, and could see an acquisition if larger VA vendors (a small list) see growing customer demand for penetration testing – which I do not expect in the short term. The VA market is larger and if those vendors see pen testing client demands, or greater competition from Rapid7, they can leverage their Core partnerships. Core’s Impact Essential tool is the first to target individuals who aren’t full-time security professionals or penetration testers, and run on an automated schedule. While it doesn’t have nearly the depth of the Pro product, it could be interesting for continuous testing. The real question is whether customers perceive it as either reducing their process costs for vulnerability management (via prioritization and elimination of non-exploitable vulnerabilities), or a replacement for an existing VA solution. If Impact Essential can’t be used to cut overall costs, it will be hard to justify in the current economic environment.
As Nick concluded, Immunity will need to improve their UI to increase adoption beyond organic growth… unless they plan to stay focused on dedicated penetration testers. They should also consider some VA partnerships, as they will be the only penetration testing tool not partnered or integrated with VA Update- I was incorrect, Immunity also partners with Tenable. Apologies for missing that in my initial research.. I agree with Nick: Immunity is most at risk in the short term from the Metasploit commercialization. If the UI improves, Immunity could use cost to compete, and some VA vendors might add them as an additional partner.
Rapid7 just jumped from being one of the less-known VA players to a household name for anyone who pays attention to penetration testing. This is a huge opportunity, but not without risks. Metasploit is an awesome tool (I’ve used it since version 1… in the lab), but not yet enterprise class. The speed, usefulness, and usability of its integration will play a major role in its long-term success and ability to springboard off the large amount of press and additional name recognition associated with this acquisition. H D also needs to aggressively maintain the Metasploit community, or Rapid7 will lose a large fraction of Metasploit’s value and have to pay staff to replace those volunteers. Quality assurance, of the product as well as the exploits, will also be important to maintain; this could reduce the speed of releasing exploits which Metasploit is famous for.
Rapid7 also faces risks due to Metasploit’s BSD license. There is nothing to prevent any other vendor from taking and using the code base. This is a common risk when commercializing any free/open source software, and we’ve seen both successes and failures.
Conclusion
Here’s how I see things developing:
- For infrastructure/non-web applications we will see growing demand for exploit testing automation. The vulnerability assessment vendors will add native capabilities, and Core (and Immunity, if they choose) will add more native VA capabilities and find themselves competing more with VA vendors. My gut feel is that VA vendors (other than Rapid7) will only add the most basic of capabilities, leaving the pen testing vendors with a technical advantage until both markets completely merge. That might not matter to most organizations, which either won’t understand the technology differentiation, or won’t care.
- There will continue to be a need for in-depth tools to support professional penetration testers. This market will continue to grow, but will not offer the opportunities of the broader, ‘lights-out’ automated side of the market.
- Overall, the penetration testing tools market will continue to grow. This acquisition and other market trends validate the usefulness of this market, especially in assisting with remediation prioritization – not just problem identification.
- The greatest area of growth will be in web applications, and as I mentioned before the lines between pure VA and pure penetration testing will completely blur in this area.
- All the penetration testing vendors will benefit from the Metasploit acquisition. Immunity faces the greatest mid-term risk, Core the greatest potential for price pressure, and Rapid7 the risk of losing the Metasploit community and seeing their work appear in competing products. All three vendors can manage potential risks, but the answers aren’t necessarily easy.
A bit of disclosure – I haven’t been briefed formally by Immunity, so I could be missing part of their strategy. Although I’ve talked with most of the VA vendors, I haven’t specifically discussed their plans for exploit validation or penetration testing, and I base my conclusions more on conversations with end users.
Reader interactions
5 Replies to “Penetration Testing Market Update, Part 2”
No mention of Saint? The last time I used it, it wasn’t that great compared to a segmented testing approach using Nessus, Foundstone, Spi, Metasploit.. etc….. But, I thought it would be mentioned in something like this as it was the first to merge the 3 together into one product (VA, “Pen-Test”, Web App) from my knowledge.
Otherwise, great article and thanks for sharing!
Scott-
Yes- I know for sure Core and Metasploit include some aspects for social engineering. I suspect Immunity does, I just haven’t been updated on it.
The focus on the tools side tends to be supporting phishing emails and various web-based tomfoolery. I think there is a Core module for a self-executing agent (for USB), but I’m not sure if that’s widely available.
Mike- no argument. I was trying to get the idea across that it’s the process and positioning of pen testing that’s changing, not just the tools. The big deal is the migration to a more continuous process.
Thanks for the nice summary, Rich. As a technie-turned-awareness coach/strategist, I have to ask, “How do you see social engineering-based penetration testing methods fitting in to an over-all strategy – or do you?”
Although you didn’t mention it, that I could see, my guess is that there’s just so much to talk about in terms of technology, that the human side is left for another topic in itself.
As you may know, the Honeystick Project I’m running, sort of crosses the boundary between technology and awareness. As a bit of a benchmark, after 50 devices deployed, I see over 60% of the devices I drop getting used. The obvious question a pen-tester could ask to a client is, “Do you think your staff would do better than this?” The answer could open the door to addressing a more complete penetration testing strategy.
So, I’m curious if any of the vendors you analyzed have a social engineering part to their solutions, and how they fair.
Cheers,
Scott
Your market assessment makes sense, but it makes sense to point out that tools are tools. What’s required is a process, staffing and accountability for something I called “security assurance.” It’s great that Core and Immunity is growing and Metasploit will now (presumably) become more commercial grade. But these tools have to continue climbing the stack (since pretty much all the action is at the app layer), and companies need to make a sustained commitment.
Buying the tool is the first step. Making pen testing (or the broader security assurance) a core part of the technical controls implemented by companies is when this market becomes real. Unless there is someone who’s job description is to “break things” – the tool will become shelfware.
Mike
http://blog.securityincite.com