To gather insights on the state of application and data security, we spoke with 19 executives who are involved in application and data security for their clients.
Here’s who we talked to:
Sam Rehman, CTO, Arxan | Brian Hanrahan, Product Manager, Avecto | Philipp Schoene, Product Manager IAM & API, Axway | Bill Ledingham, CTO, Black Duck | Amit Ashbel, Marketing, Checkmarx | Jeff Williams, CTO and Co-Founder, Contrast Security | Tzach Kaufman, CTO and Founder, Covertix | Jonathan LaCour, V.P. of Cloud, Dreamhost | Anders Wallgren, CTO, Electric Cloud | Alexander Polykov, CTO and Co-Founder, ERPScan | Dan Dinnar, CEO, HexaTier | Alexey Grubauer, CIO, Jumio | Joan Wrabetz, CTO, Quali | John Rigney, CTO, Point3 Security | Bob Brodie, Partner, SUMOHeavy | Jim Hietala, V.P. Business Development Security, The Open Group | Chris Gervais, V.P. Engineering, Threat Stack | Peter Salamanca, V.P. of Infrastructure, TriCore Solutions | James E. Lee, EVP and CMO, Waratek
Here's what they told us when we asked them, "What have I failed to ask you that you think we need to consider with regard to application and data security?"
- What are the macro forces causing problems? Software security is invisible. In the marketplace, you get the same price for software regardless of how secure it is. There’s no incentive to build secure software. Advocate for labeling software and providing transparency for defenses, security, testing, and other simple things. A software facts label like a nutrition label would drive producers to develop better software but someone will have to demand it. Consumers are pulling back from the internet because of concerns with hacks. When will vendors start taking this seriously? We need to create momentum for more visibility. It’s going to get worse before it gets better.
- The future of the cloud and IoT. Applications are currently working in siloes. We need to connect all of the applications in a safe and secure way just by using a browser. Apps need to communicate using agreed upon security protocols.
- Cybersecurity covers a broad space. A chip in pin cards is supposed to prevent decryption; however, a skimmer in an ATM can trace the movement of data from the card to the machine – is this becoming a big issue?
- Data security tends to go from prevention (encryption and access control) to detecting and responding to incidents. Not a lot of emphasis on protecting data. How do we secure the data, encrypt access, scan to know where the data resides?
- The risk model for apps running in the cloud is not well understood. The infrastructure is managed better than the data centers. We need to be aware of how changes threaten the surface, what new vectors of attack will become popular?
- Privacy is huge. Credit card data is one thing; however, heart rate monitors, knowing when you’re home or where your car is parked have massive privacy implications since this affects peace of mind. Ask for the absolute minimum you require. Identify process problems, like stop ship, and implement.
- As we become more agile and cloud-based there are more challenges with changes in cybersecurity, as well as security and development in the cloud. What are the challenges for compliance, security, and operations? What security solutions are developers familiar with?
- How is DevOps affecting the security process? Does it help or hurt? Transition to Dev/Sec/Ops. Allow continuous integration with secure integration. Communication between developers, security, and operations.
- Not to belabor a point, there needs to be a more open dialogue about how realistic it is to expect developers to write more secure code. Is the unrelenting pressure to deliver code on-time and on-budget with no appreciable performance impact is doing more harm than good? Is over-reliance on the status quo delaying the development and implementation of new security technologies and technique? If so, at what cost? These are the questions we need to reach consensus on as a community.
- How do we go faster securely? Make security an accelerator to increase speed to market.
- There’s another dimension of vulnerability around the hybrid cloud. There are a range of solutions like VPNs. Should we automate the connection? How serious are people about that being a security vulnerability?
- It’s a big topic. Steer toward the client side. Distributed data is no longer the single source of truth. How to harden distributed data? Use small chunks of data because it’s worth less on the client-service side and Hadoop. People are not using block storage responsibly. API protection is a big piece of security. PKI is a given between client/server. Blockchain is not fine, it’s chaos.
- What are companies doing behind the scenes to address security? How prepared are you for a data breach? Are you participating in training with Azure or AWS?
Do you have any additional considerations regarding application and data security that we've failed to raise in this series of posts?