Concerns With Application and Data Security

To gather insights on the state of application and data security, we spoke with 19 executives who are involved in application and data security for their clients.

Here’s who we talked to:

Sam Rehman, CTO, Arxan | Brian Hanrahan, Product Manager, Avecto | Philipp Schone, Product Manager IAM & API, Axway | Bill Ledingham, CTO, Black Duck | Amit Ashbel, Marketing, Checkmarx | Jeff Williams, CTO and Co-Founder, Contrast Security | Tzach Kaufman, CTO and Founder, Covertix  | Jonathan LaCour, V.P. of Cloud, Dreamhost | Anders Wallgren, CTO, Electric Cloud  | Alexander Polykov, CTO and Co-Founder, ERPScan | Dan Dinnar, CEO, HexaTier | Alexey Grubauer, CIO, Jumio | Joan Wrabetz, CTO, Quali | John Rigney, CTO, Point3 Security | Bob Brodie, Partner, SUMOHeavy | Jim Hietala, V.P. Business Development Security, The Open Group | Chris Gervais, V.P. Engineering, Threat Stack | Peter Salamanca, V.P. of Infrastructure, TriCore Solutions | James E. Lee, EVP and CMO, Waratek

Here's what they told us when we asked them, "Do you have any concerns regarding the current state of application and data security?"

• Yes, that’s a tremendous understatement. Our software is quite vulnerable. According to a Verizon study, there are 22.4 serious vulnerabilities in each application. We trust our lives to airplanes but we do not trust our businesses to software yet we don’t maintain and secure software nearly as well as we maintain and secure planes. The level of our adversaries is quite advanced. There are tons of vulnerabilities. I am stunned we don’t hear of more breeches. Applications are the leading cause of breaches for the last nine years (Verizon study). Financial services had 719 breaches and applications were the root cause of 82%. We’re spending a great deal on information security around firewalls and antivirus. We need to be protecting applications. 
• The last two years has seen a change in thinking in organizations. They see that security is a problem and they are committed to fixing it. A cost of moving to the cloud is the need to secure the data.
• It’s unfortunate that there are still common vulnerabilities like SQL injection. We need to get rid of common vulnerabilities by using frameworks that prevent these types of vulnerabilities. We need to educate people on the vulnerabilities of different frameworks.
• The current approach with fancy gadgets will work in the short term but it’s treading water since attackers will ultimately get past the tool. It’s a “cat and mouse game.”
• It’s going to get more interesting. It’s becoming harder to trace maliciousness as people get sneakier and spin up cloud services. Maliciousness is easier to accomplish. Security companies like CyberSource and Maxmind need to bond together to ensure a fair pricing model protecting SMBs from malicious attacks. Keep the end user in mind.
• IoT devices are getting ahead of security. This is more secure but exposes to new types of attacks into your home. Someone hacking your home is scarier than someone hacking your back account – you lose peace of mind. Have the most skepticism – are they talking about security?
• The definition of IoT with IP interfaces on everything. As you scale at speed, you have more security issues.
• Too many organizations are not looking at the research and strategies as a first step before buying a tactical solution.
• Companies taking security seriously.
• 1) It’s a difficult topic and there is always room for improvement with developers and engineers who need to go through deep training. Education does not focus on security. 2) Problems on mobile devices. We have PCIDS standards and audits are already at 3.2 but there is still a minimal focus on mobile devices. Servers, data centers get much more attention. There’s a wide penetration of applications on mobile that are not covered by PCIDS. In Europe, wiring money on mobile devices is very popular. The communication is secure the problem is the standards. However, now when using two-factor authentication the mobile device is serving both functions thereby foregoing the benefits of two-factor authentication.
• The level of awareness and the underinvestment in application security. Awareness and budgets are changing slowly.
• Nothing specific, it’s always changing.
• There is always a different breach every day. It’s a “cat and mouse” game with hackers. Developers are not part of the security team. More universities are bringing courses about the secure development – need as a core piece of engineering skills. We provide education with our product. Knowledge of security needs to come earlier.
• Let’s continue with the theme of the last question.  One of the consequences of a lack of innovation is the bad guys continue to find vulnerabilities faster than the good guys can fix the problems with nothing to meaningfully disrupt the cycle.  We need some fundamentally different approaches to regain ground taken by malicious hackers. 
• Once you get a taste of security, you become more vigilant. It’s less about the cloud and more awareness of how quickly things are changing, Enterprises have different requirements and they don't think and move as quickly as smaller companies. Secure cloud infrastructure but above that is the client’s responsibility with work loads and apps. Know what’s running, what’s been touched and the systems and platforms necessary to adopt quickly.
• Government agencies have become quite sophisticated, but so have the bad guys. It’s a constant race.
• I still see a gap between the operations, security, and innovation and development. Where development and innovation shorten the cycles operations and security are becoming bigger and bigger concerns. I do believe DevOps can help bridge the gap. Nothing is going to be solved quickly.
• Too many resources are being spent on the basics and not enough on agility and automation.
• Hackers are getting smarter. Always be prepared.

What are your biggest concerns with application and data security?