Security Product vs Service Company
The Lines Are Blurring
NopSec started as a penetration testing service delivery company at my kitchen table. The company then expanded to provide consulting services to more and bigger clients. The one-time security penetration testing baseline assessment then evolved into an on-going Software-as-a-Service (SaaS) company focused on security vulnerability management (VM) and ongoing remediation workflow platform. Now, NopSec offers services and products that co-exist and thrive together.
I always found amazing then about how – when we went to raise venture capital – venture capitalists considered service revenue as a less important relative to the product revenue, and how adamant they were in investing in a product, not service, company.
I definitely could understand that investors preferred investing in a business with recurring revenues like a SaaS product company. However, for an offensive security company like NopSec consultant-rendered services is in our DNA, and forms the foundation of our research efforts.
As one of the latest and biggest security mega-trends, VM is growing up to become a full-blown cyber-hygiene and resilience program, leaving the vulnerability scanner centric network and web application security assessments to become part of an overall vulnerability risk and assurance program.
In this context, vulnerabilities can be discovered by scanners and then validated and prioritized by Machine Learning (ML) algorithms. Control Validation automated workflow can be started from the vulnerabilities found, all the way to lead to total network and web application compromise. Automated workflows can be started that take the identified vulnerabilities as a starting input, and attempt to perform network and web application exploitation in order to validate whether security controls are effective.
Lateral movement for Control Validation and Automated Adversarial Simulation can be started by a product-based automated process to prove that an automated “smart” process can lead his way into total network and system compromises.
Much like piloting a drone plane, the automated lateral movement process can then be disengaged for the expert penetration testers to conduct surgical and highly-skilled operations, much like drone pilots.
So we can see that just because security products are getting smarter, that does not mean we do not need services and “smart” consultants to lead the way in the last “mile”. Automation techniques can never fully replace the creativity of a penetration tester.
The latest Merger and Acquisition (M&A) trends in the security industry confirm this theory, with many acquisitions of service companies by product centric companies, including most importantly the Fireeye acquisition of the Mandiant service and consultancy business.
At NopSec, we use highly-focused / expert services to measure security baselines for networks, policies, and web applications at a point in time. And then we enroll the organization in an on-going SaaS vulnerability management program that imports vulnerability results from the most common vulnerability scanners in the marketplace, prioritize them based on threat-based ML Algorithms and then facilitate the remediation process through a semi-automated workflow for vulnerability and asset management.
Once this process is fully established, the assurance program – based on the business security maturity program – can come full circle by enabling security control validation using automated algorithms that start from the vulnerabilities discovered and proceed to total system and network compromise.
The Security Control Validation and Adversarial Simulation can go from automated to surgical red-teaming engagement with the involvement of highly skilled penetration consultants that interact with the client blue team.
In our field of offensive security, as well as other related security fields, the line between products and services is blurring in companies. NopSec is working to link automated product-based vulnerability management and control validation procedures with adversarial simulation red-teaming consultant-based engagements.
At the end of the day, at NopSec services and penetration testing engagements have always been the back-bone of our product innovation and Research & Development.
And I think this is the direction the industry will be shifting to.