Back in Black (Hat): Here’s What Stole the Show

As August comes to a close, we’re reliving the highlights from Black Hat 2023! Our team had a great time at this year’s event, complete with attending (and leading) workshops, launching new products, and of course, memorable evenings in the heart of Las Vegas.

To all the NetSPI team members who attended Black Hat (and DEF CON 31!), and the key players who held down our home base, thank you for making this year’s conference a success! Tapping into this year’s theme, we really are better together. We asked a few of our offensive security experts to weigh in on the key themes, favorite conversations, and more details on what stole the show this year. 

3 Key Themes from Black Hat 2023 

NetSPI Field CISO Nabil Hannan shared four themes from Black Hat:  

1. AI/ML was pervasive across vendors 
2. More focus on AppSec, especially integrating it into CI/CD pipelines 
3. Lots of interest in automotive, aerospace, and IoT security 

Let’s explore these. 

AI Stole the Show 

A key theme at Black Hat was AI leading innovation in technology. Many vendors had AI-powered platforms on display — NetSPI included. Looking at the security industry as a whole, we’re still in the infancy of our collective AI journey. AI is powerful, but navigating this space alone is challenging. 

NetSPI launched AI/ML Penetration Testing to help trailblazing companies stay creative with AI while remaining confident in the security of their new technologies. We’ve only begun to see the changes AI and ML can bring to security, and we can’t wait to build the next evolution together. 

All about AppSec 

Incorporating security into the application lifecycle is easier said than done. Fortunately the industry is increasingly invested in security best practices throughout the development and testing phases to help address common risks. Peek the OWASP API Security Top 10 for the most prevalent vulnerabilities. Nabil noted that application security is being added specifically into continuous integration and continuous delivery (CI/CD) pipelines, meaning development teams have moved beyond AppSec in theory and into implementing it as a process. 

Automotive. Aerospace. IoT. Oh My!  

Digital transformation and Internet of Things (IoT) go hand-in-hand. And if those weren’t enough buzzwords for you, here’s one more: The digital footprint companies have today is vastly larger and more dynamic than ever before. Internet-facing technology holds a higher potential for exposure to threats because it has multiple access points with greater public accessibility. One of NetSPI’s specialties is IoT Penetration Testing across industries to help internet-facing assets remain secure.  

NetSPI Director of IoT and Embedded Pentesting Larry Trowell noted aerospace as a trending industry at Black Hat because of its broad coverage area. As connected devices continue to become a must-have instead of a nice-to-have, security will progress as a necessity. 

Bonus Theme: Azure Cloud Security 

Okay, we’re cheating a little here as this was more a DEF CON theme versus Black Hat, but “hacker summer camp” nevertheless. Our resident Azure security expert and tenured DEF CON volunteer Karl Fosaaen made his way to Vegas for DEF CON 31. This year was extra special as Karl brought his dad along to experience the event for the first time! 

In the wake of Tenable CEO Amit Yoran calling out Microsoft for its handling of vulnerability disclosures, Azure security was certainly a topic of conversation across the community. NetSPI had two opportunities to provide insights on how to navigate Azure cloud security concerns. 

Karl was invited to speak with Ashish Rajan, host of the Cloud Security Podcast, on Azure insecurities, why pentesting must go beyond configuration reviews, the difference between testing AWS versus Azure, practical steps to strengthen Azure security, common attack TTPs, and more. The episode will air on Monday, August 28 – keep an eye out! 

Later at the DEF CON Cloud Village, Karl and NetSPI’s cloud pentesting lead Thomas Elling led a talk titled, What the Function: A Deep Dive into Azure Function App Security. The talk centered around the security risks associated with the increasing use of Platform as a Service (PaaS) resources in the cloud, specifically the use of the Azure Function App service. If you missed the talk, no worries! They followed the session up with a detailed write-up on the NetSPI technical blog. 

What’s it Take to Be a Global Leader?  

Several companies at Black Hat self-proclaimed the title “leader” on their booths, enticing a curious mind to pose a question: what merits the claim of a leader? While we can’t speak for other companies, we can give insight into why NetSPI claims the title of global leader in offensive security. 

The consensus is that third-party mentions from well-known firms such as Gartner and Forrester may convince decision-makers to claim the title of leader in their industry. We’d be remiss if we didn’t agree. NetSPI’s inclusion in Forrester’s The External Attack Surface Management Landscape, Q1 2023 and The Gartner® Competitive Landscape: External Attack Surface Management was positive for our ASM technology platform. 

In addition to third-party recognition, we hold the title of leader because we are trailblazing a path forward in offensive security so that teams have a partner in navigating this complex space. Our suite of offensive security solutions consolidates services with one vendor, giving us a deep understanding of client systems for more tailored recommendations. 

NetSPI Chief of Product Vinay Anand spoke to this in his Black Hat presentation, Defining a Roadmap for Offensive Security. The presentation covered the past, present, and future of proactive security measures, why offensive security is today’s North Star for risk and exposure management, and how to make progress toward an offensive security strategy. Grab Vinay’s slides here.  

Lastly, we invite you to meet our pentesting team, check out our recent research, and view our open-source tools. We guarantee you’ll learn something that could only be taught by leaders in their field. 

Between the learning opportunities, building connections new and old, and having great food and conversation with our trusted customers and peers, Black Hat lived up to its hype. Until next year!