Invicti Insights: Experiences and lessons learned from Black Hat USA 2023

With another successful Black Hat 2023 in the books, we sat down to chat with some of Team Invicti about their experiences at the show, lessons learned, and what they think everyone should take away from this year’s conference.

Invicti Insights: Experiences and lessons learned from Black Hat USA 2023

We came, we saw, we connected! As another Black Hat USA wraps up, Invicti is reflecting on everything that made an impact during this year’s event in Las Vegas. Our booth was bustling as more than 20,000 security professionals and seasoned developers gathered to share knowledge, trade wisdom, and talk about the future of digital security. 

Our subject matter experts were at the booth, sitting in on panels, and presenting must-hear information about the latest trends in exploits and flaws. Invicti’s CTO & Head of Security Research Frank Catucci presented alongside our Distinguished Architect Dan Murphy about the MOVEit Transfer attacks and ways to identify related flaws through dynamic application security testing (DAST) – important to avoid similar data breaches in the future.

Inside and outside our booth, there was no shortage of good conversation and thought-provoking panels to enjoy at this year’s Black Hat USA. Mostly, it was about the people we met and the connections we made – those personal interactions and valuable takeaways help us inform and shape what we do here at Invicti. To share those insights with you, we sat down with Catucci and Murphy, along with our Director of Product Management Jonny Stewart, to get the full scoop on what resonated with them most at the conference and what they’re taking away from it as lessons learned.

Frank Catucci, CTO and Head of Security Research
Dan Murphy, Distinguished Architect
Jonny Stewart, Director of Product Management

What were a few of the biggest themes you saw at Black Hat 2023?

Dan Murphy: Generative AI was everywhere. The keynote of Black Hat featured the topic prominently. The intro to the keynote on the topic featured smoke, lasers, pounding bass, and an AI-generated announcer voice. It was pretty amazing, but I wondered if it was being wryly self-aware, playing a bit on the hype that suffuses so much of the generative AI conversation. Don’t misunderstand me – generative AI is big, and it is going to be an inflection point within the industry.

Frank Catucci: I had the same experience as Dan, seeing AI everywhere. There was a sense of AI fatigue from a practitioner standpoint, and I think more people are looking for more real-world value in products from AI. But I also assume this is just the beginning for AI.
 

With regard to AppSec in general, the most common themes I saw emerge would be the shift to single-platform solutions, and consolidation with application security posture management (ASPM) taking more of a dominant role in security. A close third for a common theme that I saw was the importance of including API security in your overall strategy.

Jonny Stewart: The biggest themes I saw were AI and all things related to APIs. There was even a talk about GPT hype, and the walk-on sounds and intro were AI-generated as Dan and Frank mentioned. The balance is figuring out where it can be a tool to solve a problem, rather than a tool looking for a problem to solve. I feel we’re near that inflection point where AI will cross the chasm.

AppSec and consolidation of AppSec was also a large theme I saw, with many firms moving to consolidate their AppSec offerings and preparing for customers who are looking to consolidate vendors. Discussions around APIs were significant in terms of firms in the market, with some very interesting approaches to the foundational AppSec area of static application security testing (SAST). DAST remains, to me, the easiest to set up and get low-noise results from.

What do you think are key takeaways or emerging trends from this year’s show?

Dan Murphy: Despite generative AI being a major theme, there were still a significant majority of both booth and talk tracks aimed at other important security areas. Application security was significant, as were vendors targeting cloud-native application protection. The startup area was looking healthy and was active, which is perhaps indicative of the trend towards consolidation in the industry.

Frank Catucci: The biggest takeaway for me was the convergence of AppSec, cloud, and cloud-native application protection platforms (CNAPP). We’re really seeing application security posture management (ASPM) and cloud security posture management (CSPM) emerging as the key approaches for mitigating risks to cloud-based deployments.

Jonny Stewart: When it comes to emerging trends, I see firms consolidating existing offerings or building new ones to widen the amount of issues they can find and solve. For example, API security folks using open source DAST scanners to get basic results, or CNAPP vendors putting a toe into foundational AppSec technologies. Consolidation to fix such issues seemed to be a key trend at Black Hat.

Were many organizations talking about the importance of API security?

Dan Murphy: I spent time checking out the booths of all of the main API security vendors, as well as speaking to customers looking to scan their APIs with dynamic scanning. Some of the common messaging here was that API security encompasses a wide spectrum of capabilities, including discovery, monitoring and inventory, runtime protection, and security testing.

 

For customers that are more development-oriented and have specifications that they want to scan, a DAST tool is a great start. However, customers with a broader need may also want to look at other tools that are stronger in other areas. A winning combination is to use the best of both worlds and combine the strength of the deep scan of a dedicated DAST tool with the supporting capabilities of other products.

Frank Catucci: Common messages I saw revolved around the importance of discovery and attack surface from an API perspective. That was followed by actual testing and the vulnerabilities found on those discovered APIs. Broken object-level authorization (BOLA) and insecure direct object reference (IDOR) remain prevalent areas of focus and concern for many organizations, too.

Jonny Stewart: API security was talked about by both incumbents – like DAST players who have been scanning APIs for years – and also new entrants who focus purely on API scanning. The starting point is API discovery, then scanning with a focus on running apps and on looking for abnormal requests to an endpoint to identify potential findings.

What would you say is one of the most important things you saw or experienced?

Dan Murphy: While wandering the floor, I found myself musing about the sheer size and scale of the security industry. Passing colorful booth after colorful booth and interacting with people from around the world, I was struck by the full scope of the mission. This idea was reinforced while idly picking a lock over some nachos with a new acquaintance – the systems that we are trained to trust and build on top of are never as solid as we are led to believe.

 

At the Invicti booth, we gave away a few Flipper Zero devices, a kind of Swiss army knife for hacking, to those brave souls who had the fortitude to sit through our booth talk. When I checked into the hotel, I was struck by how the whole process was automated, with a machine that flashed each hotel key from a QR code. I’ve seen the Software Defined Radio on the Flipper used to clone and replay NFC hotel keys.

 

Digital and physical security become more closely intertwined each year – there is a lot of good work to do to keep people safe!

Frank Catucci: For me, it was by far the ability to network and meet with people from the industry, collaborating with them in conversation about security and the industry in general. There is still a very large focus on security for the right reasons of helping businesses and individuals stay safe – if you can filter out the sales and marketing pitches.

Jonny Stewart: It’s the ability to condense what would be weeks of planning and meetings into 2–3 days, going back to back from several partners and customers. I love meeting customers face-to-face in a relaxed atmosphere. This accelerates learning of the industry and it also progresses projects we have live or in planning stages. The personal relationships made over breakfast, dinner, or beer come home with you and last for years. A real benefit to us, and the industry.

As we decompress from Black Hat USA 2023, we’re looking ahead at what’s next

Out of all the buzz and hype, we’re thrilled to see that the importance of API security was a prime topic of discussion, along with efforts to streamline security tools for more efficiency. As the industry moves toward single-platform offerings that consolidate critical testing types into one, it’s crucial that we keep those conversations going. 

Most importantly, we’re excited about the connections we made, the wisdom they bring to the table, and their unique perspectives on cybersecurity. Dan Murphy echoes this sentiment:

It always strikes me as odd how a conference ostensibly about technology ends up being about people each year. Whether it be meeting partners that helped turn a tech brief into a working demo, admiring the hustle of a first-time founder working the room, or the many “Zoom phantoms” whom you finally get a chance to meet in person, it is the personal interactions that ultimately are a key part of the experience.

Those interactions lead to lasting connections that enable us to work smarter and move forward together – which is invaluable in such a dynamic industry. 

We’ll see you at next year’s show!

Meaghan McBee

About the Author

Meaghan McBee - Marketing Content Team Lead

Meaghan is a Senior Marketing Content Writer at Invicti with over a decade of experience creating written content in the tech industry. At Invicti, she leverages the voices of our subject matter experts and insights from industry research to deliver news, thought leadership, and product information to the masses.