BreachLock Named Notable Vendor in 7th Gartner® Guidance Framework for Building an Application Security Program

BreachLock, a global leader in attack surface discovery and penetration testing, has been named a notable vendor in Gartner’s latest 2024 Guidance Framework for Building an Application Security Program.

Read Full Article: here

“BreachLock is proud to be included as a notable vendor for application security alongside such security providers as Bishop Fox and Cobalt,” commented BreachLock Founder & CEO, Seemant Sehgal. “As a global leader in penetration testing, our experts understand how applications and API-related data breaches can greatly affect business operations. That is why it is so important to address the increased risk early with customers to help them establish the most appropriate and robust application security program across their software development life cycle (SDLC).”

In the past two years, 60% of enterprises have experienced a data breach caused by weak API Security1. Gartner survey data shows that 41% of organizations deprioritize security tasks for delivery speed, which is not uncommon when trying to satisfy only business requirements without considering security2. To help SRM leaders drive support for an application security program, Gartner recommends providing stakeholders with key data and examples of API-related breaches coupled with internal risk assessments such as3:

  1. Data and applications classification based on criticality
  2. Results from application security testing (AST) which include SAST and DAST and software composition analysis (SCA) scans
  3. Data intelligence and output from threat models
  4. Application complexity based on code and test coverage which are fundamentally unpredictable and can lead to vulnerabilities.

At Breachlock, we agree that application security begins with ensuring our customers understand the extent of their application environment. This involves cataloging the application assets and initially focusing on a select few applications. These assets may encompass web and application servers, containers, legacy software, and APIs providing underlying services, among others. The inventory comprises all data stored and transmitted by the application, alongside metadata. By conducting this inventory, an enterprise can develop a risk profile for each application.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlights the need to take a “secure by design” approach as the most effective way to secure applications and the number of vulnerabilities that find their way into production4. This holistic methodology involves integrating pervasive application security measures throughout the SDLC.

The report also states that risk assessments should be as automated as possible. “At BreachLock, we find that automated application security solutions not only establish a baseline, but our built-in standardization offers consistent metrics that can be analyzed and used to foster stakeholder understanding of how application security can impact business outcomes and overall cyber resiliency,” added Sehgal.

Most enterprises have incorporated SDLC processes, but most lack automation and standardization. This can often be the result of a mix of challenges such as a complex supply chain or a recent merger and acquisition. At BreachLock, we are often asked by our customers how much of their application security testing should be automated. That response differs and is dependent upon multiple factors, including security and business requirements, SLAs, the applications, APIs, and the security stack itself. Are the technology mostly legacy systems or is it mixed with a more modern software development environment? According to Gartner, application security testing is the most commonly automated security activity. Forty-five percent of organizations report having automation fully or mostly in place for application security2.

In the end, application security and API-related security automation must start with an inventory of assets and the prioritization of all critical and high vulnerabilities, along with evidence of vulnerability remediations integrated into a security dashboard. The BreachLock AI-driven platform provides user-friendly dashboards with evidence via Proof of Concepts (POCs) available directly within the platform. These POCs accompany every vulnerability to better understand the context around the potential threat such as the depth of criticality and exposure to the associated asset and other assets, ease of exploitation of that application or API, and potential attractiveness by an attacker.

Following the highly effective secure-by-design approach to application security is a process that should be maintained long-term across the SDLC starting with ideation and design, through development, deployment, and maintenance. This type of upfront investment not only provides cost savings and efficiencies to fix vulnerabilities early in the development lifecycle but can put enterprises on the road to inherently long-term resilience against emerging threats.

References:
1Michael Vizard (15 Sept 2023). Security Boulevard, Cyberattacks Increasingly Target APIs.
22023 Gartner Security in Software Engineering Survey conducted online from 7 June through 14 July 023.
3William Dupre (2024). A Guidance Framework for Building an Application Security Program, Page 3.
4Secure By Design Framework. Cybersecurity & Infrastructure Security Agency.

About BreachLock

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Download the BreachLock API Security Guide or read the latest blog on How to Build an Applications Security Program.

Gartner Disclaimer

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Industry recognitions we have earned

reuters logo cybersecurity_awards_2024 logo winner logo csba logo hot150 logo bloomberg logo top-infosec logo

Fill out the form below to let us know your requirements.
We will contact you to determine if BreachLock is right for your business or organization.

background image