DZone Research: Keys to Security, Part II
Here is the second installment of the Keys to Security, exploring education, data, and security by design.
Join the DZone community and get the full member experience.Join For Free
When deploying initial business apps, it is important to identify what you are most worried about. Were you backing up against risk or leaning into risk? Do you have a network and security personnel for the cloud? Do you know why you’re choosing the cloud that you are? How do you bring your network and security guy with you to the cloud? How can you get up to speed quickly on the benefits and pitfalls? Your network and security team(s) need a crash course on cloud security.
- It comes down to people. Developers, engineers, and staff must be educated and understand that security is very important. Educate your staff to least privilege access only access things you need to access. If need elevated access, provide it and get out. If there is a compromise, minimize the damage.
- It starts with leadership. There has to be an organizational commitment that security is important. Once an organizational commitment is in place, you need to train your teams and provide coaching through a center of excellence (or some similar structure) so that there is repeated learning across your teams. Along with training, you need to create an integrated toolset (secure CI/CD pipeline) that provides a federated view of security across your development, testing, and operations teams. Following that, you need to make sure any output from your project teams is translated into business concepts like risk, compliance, and resiliency. That means focusing on building a sustainable security program. You have to build security without hindering the business from moving forward.
- 1) User awareness is paramount when it comes to application and data security as the human factor continues to be the weakest link in the chain.
- 2) Advanced threat detection mechanisms are key — These days, the question is not “will I be breached,” but “when.” That understanding mandates forward-thinking organization to seek solutions that will provide visibility to the operations of intruders in their networks.
- 3) Advanced authentication mechanisms play an important role in enabling multi-factor authentication on valuable enterprise assets.
- Know the unknown. You have application assets serving customers on a continuous basis. Risk assurance and management. From there, apply the right application of security techniques. Along with that, make sure that as you are developing new applications and releasing them you've identified the right inflection points in the software lifecycle for testing. Lastly, when developers are trained and have the right subject matter expertise, with regards to secure design patterns, producing more secure software from the get-go.
- 1) Protect data by using a security platform with tools.
- 2) For those in enlightened organizations, a security data platform isn’t any different than a data platform beyond the vendor security product stack. Get rid of silos — data security should not be different than data management. Data loss prevention needs to g0 beyond the data analyst with different jobs.
- Understanding the Complexity of where the data is with different cloud vendors and wrangling developers. Sprawl makes this a challenge. All of the developers are being pressured to move fast and deploy. They need access to real production data. How to move fast, give people access to data without exposing PII. Recognize the original production records. For every one of those records, there are five to ten copies of records. 80 percent of enterprise data is derivative. We focus on securing the other 80 percent when you make copies of those records. You will need to rewrite to contain fake, masked data.
- It is important to have a trusted advisor to help identify the holes and provide visibility into what is not secure. What are the assets? What are the vulnerabilities? Launching scanners, vulnerabilities, phishing. Figure out what the issues are and what data is vulnerable?
- Moving data is where you get into trouble. When creating data copies, it gets impossible to keep secure and business metrics consistency is lost. It is crucial to keep the data where it landed. Secure it, encrypt it, and implement data access control. Customers in Hadoop with Kerberos to secure. When you start moving it, the security controls are gone. Whatever the BI tool is, the user should be the one running the query. Delegated authorization.
Security By Design
- Grant the right permissions for administrators or secure by default — This allows for the highest possible security.
- Security must be incorporated into the earliest stages of system design and be a priority throughout the system’s development and operational lifecycle. It should start with fundamental awareness from the engineering team. From there, security subject matter experts should guide design while continuous integration pipelines should integrate security checks deep into the daily development process. An underlying key element to mention, as well, is automation. This drives repeatability and confidence over the long run. Covering the basics first is important and, most of the time, not difficult. A true "0-day" is scary and organizations should be prepared to deal with them, but a majority of their focus should be on doing the simple things right in a repeatable fashion.
- When developing our solutions, we hired an IT security application, allowing for security by design from day one. We rearchitected everything from monolithic to a stateless microservice. We have done a lot of thinking about security on behalf of our customers. When talking to customers, we give them a lot of best practices that are network and firewall focused. When hosted in the cloud with Docker, Kubernetes with a fully firewalled environment. We don’t have to educate our customers that much. Our goal is to make it simpler for customers to deploy a secure solution, with all external validation for pen testing and denial of service attacks. A lot of on-prem assistance that’s virtualized in the cloud may be running on an old system with holes, adding a lot of risk. If take on-prem as the legacy you cannot contain the security threat to the same extent.
- The most important element is to have security in mind all the time and in phases. For developers, it is design, development, testing, and QA. For the whole organization, it is making security something considered with every decision made — whether that be new business, change of supplier, new technology, or HR processes. Secure thinking reduces risks to the organization and ensures activities are organized and managed.
- Design is one the most important elements of security, although it’s usually an afterthought, which is a mistake for organizations. A lot of times we see organizations try to layer on security after the fact when it should be part of the planning process. Additionally, companies need to continuously educate their employees on security and why it’s so important.
- Some important elements are 1) embed security in SDLC process, 2) secure software engineering, 3) security/privacy by design, and 4) security as a shared responsibility.
- Seeing convergence of identity owned on the IT side, while the security side does not want to provide access. To protect data, applications, and people, we're beginning to see the convergence of these two groups. It tends to be different in every organization. To provide better protection, these two groups need to come together.
- In modern application and data security, the speed of response is one of the most important areas. This calls for modern software changes in production environments on a daily and weekly basis. Vulnerabilities within applications that allow a remote attacker to extract data are considered a priority one (P1) vulnerability. Organizations that have P1 vulnerabilities within their applications put their data, organizations, and brand at significant risk. Having automated security tools that continuously assess for P1 vulnerabilities are extremely important for both application and data security. We believe security assessments are not enough. These tools need to accelerate the rate at which fixes can be found, verified, and integrated back into production to keep pace with the speed of modern software changes. Some folks call this practice DevSecOps. We call it essential for modern application and data security.
- Vulnerabilities are mistakes introduced by software development teams. It's a human problem that needs to be addressed. All solutions help make customers smarter about security. Reports identify root causes and detailed remediation advice.
- The pain point is the password and password management. This won’t be replaced anytime soon with the cloud. You need a password for encryption.
- 1) A sender policy framework helps recipient domains validate that the mail server sending is approved. 2) Domain keys for identified mail cryptographic solution public-private key pair that the content of the message hasn’t changed since sent. 3) DMARC (domain-based message authentication, reporting, and conformance) allows the domain owner to set a policy that requests recipient domain, if something fails, can do nothing, put the message in spam, or not access the message at all. This includes the daily report from all of the ISPs that give an aggregate count of what they saw and pass/fail feedback on how your own messages are performing. Can see spoofing or fishing. Make sure all three technologies are set up, configured, and working.
- How do we make DevSecOps part of the normal cadence of the pipeline? You do this kind of testing for security to make sure that this happens every time. Equifax and struts you can’t stop from doing vulnerability testing after you ship. You must continue monitoring for things in your supply chain after you make it live. An open source library may already be in production with a vulnerability. This is why you need to test before and after your ship.
- In the past, the focus was mostly on securing the environment. Today’s focus is on the application — the application is what drives the business value. Recoupling the value and app allows for a real risk measure to be applied by the business owner. Measuring this risk and responding to it are the most important elements. The next big step is to automate the response and remediation of the risk, making sure it doesn’t happen again. This is where a shared platform approach can increase efficiencies. For example, once a remediation is activated on a platform by one team, it can be shared by the platform across all teams, thus reducing the cost of remediation for subsequent scenarios.
- Malware analysis and detection — We see certain people going in different directions. Organizations used to rely on antivirus. Now, they know it’s not enough. They use more sophisticated technology. There is, however, a lack of the right technology and manpower to implement into enterprises. This is why you need to provide a technology that helps with a unique approach and work with the manpower shortage.
- Detection and prevention of vulnerabilities from getting into production and real-time/run-time security to detect zero-day application exploits.
- Key drivers for security solutions is about availability and making sure that, whatever the app is, it will be available when a customer attempts to access it. This includes infrastructure, availability, and performance, directing end users to the website route to best-performing web applications. Digital protection makes sure that the site is available through DDOS, web app firewalls, content caching, and acceleration.
- As enterprises look to move faster through agile development and digital transformation initiatives, it is important that the security processes and infrastructure support that accelerated pace. Some organizations may need to significantly change their culture, from one of silod organizations in development, IT operations, and security, to “shift left” and bring together these teams that have traditionally become involved later in the cycle. Whether the company calls this DevSecOps or simply creates teams that span these functions as part of the applications development process, it is critical to deploying reliable, trusted applications that meet the time-to-market needs of the business.
Here’s who we talked to:
- Jim Souders, CEO, Adaptiva
- Murali Palanisamy, CTO, AppViewX
- Amir Jerbi, Co-founder and CTO, Aqua Security
- Andreas Pettersson, CEO, Arcules
- Dave Mariani, CEO and Co-founder, and Bruno Aziza, CMO, AtScale
- Andrew Avanessian, COO, Avecto
- Nitzan Miron, Vice President Product Management, Barracuda Networks
- Mo Rosen, GM, CA Security, Sam King, GM, CA Veracode, Mark Curmphey, CA SourceClear
- Stuart Scott, AWS Trainer /Cybersecurity Expert, Cloud Academy
- Cliff Turner, Senior Solutions Architect, CloudPassage
- Mark Forrest, CEO, Cryptshare
- Antonio Challita, Director of Product Manager, CyberSight
- Doug Dooley, COO, Data Theorem
- Patrick Lightbody, SVP Product Management, Delphix
- OJ Ngo, CTO, DH2i
- Reid Tatoris, Vice President Product and Outreach Marketing, Distil Networks
- Paul Kraus, CEO, Eastwind Networks
- Don Lewis, Senior Marketing Manager, EdgeWave
- Anders Wallgren, CTO, Electric Cloud
- Venkat Ramasamy, COO, FileCloud
- Jesse Endahl, CPO, CSO and Co-Founder, Fleetsmith
- Tom Sela, Head of Security Research and Matan Kubovsky, Vice President R&D, Illusive
- Roy Halevi, CTO and Co-founder, Intezer
- Darren Guccione, CEO, Keeper Security
- Andrew Howard, Chief Technology Officer, Kudelski Security
- Rajesh Ganesan, VP Product Development, ManageEngine
- John Omernik, Distinguished Technologist, MapR
- James Willet, Vice President of Engineering, Neustar
- Gary Duan, CTO, NeuVector
- Randall Degges, Head of Developer Advocacy, Okta
- Dan Koloski, Vice President, Security and Systems Management, Oracle
- Heather Howland, CEO, Preempt
- Randy Battat, CEO, PreVeil
- Arkadiy Miteiko, CEO, QbitLogic
- Linus Chang, Founder, Scram Software
- Altaz Valani, Research Director, Security Compass
- Ed Adams, CEO, Security Innovation
- Neill Feather, CEO, SiteLock
- Oded Moshe, VP Products, SysAid
- Gaurav Deshpande, Vice President of Marketing, Todd Blaschka, COO, TigerGraph
- Matthew Vernhout, Director of Privacy and Industry Relations, 250ok
- Setu Kulkarni, Vice President of Product and Corporate Strategy, Whitehat Security
- Erik Nordmark, Co-founder and Chief Architect, Zededa
Opinions expressed by DZone contributors are their own.