Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

DZone Research: Security Concerns (Part 1)

DZone's Guide to

DZone Research: Security Concerns (Part 1)

Check out this segment of DZone research on security concerns about the lack of knowledge and governance, as well as the increased speed and efficacy of attackers.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

To gather insights on the current and future state of security, we talked to 47 executives from 43 companies about security in their own organizations and for the clients with whom they are working. Given all of the breaches that have appeared in the news and the enforcement of GDPR, response to this topic was unlike any we have seen for previous security research guides.

We asked them, "Do you have any concerns regarding the current state of security?" Here's what they told us:

Knowledge

  • Not knowing the identity of your customers and those accessing the database. Triangles of money laundering are going 11 layers deep. Traditional DB cannot go that deep without tapping out in real-time. You need to be able to update systems in real-time to take advantage of connections that will create triggers to create action. 
  • Lack of knowledge.
  • Lack of knowledge and education. Adoption of open source software leads to more exposure and more risk. Developers don’t understand the significance of the issue. They aren’t thinking about how to encrypt and decrypt. We need education for developers and end users. 
  • The primary concern for most companies is speed to market. Organizations need to go through a cultural shift so everyone in the company realizes security is their responsibility. 77 percent of applications have a vulnerability in them the first time they are scanned. Only 27 percent of healthcare companies have implemented application security. When application security programs are implemented, there’s a 35 percent improvement in the quality of code. 
  • There is a growing need for skills, manpower, and technology. 
  • The classic concern is that people are not sufficiently aware, but organizations are beginning to see security as an issue. Now, we hear "which security do I need?" versus "do I need security?" 
  • People today are much more tech-savvy than they have ever been. There are many benefits to an always-on society, but it also opens the door for more breaches to occur. Newer generations are very quick to give out their personal information online, without fully understanding the threats or potential attacks. We are a society that is obsessed with instant gratification, and because of that, cyber safety often becomes an afterthought. This is why continuous education becomes so important — security needs to become a part of everyday life. 
  • One of my biggest concerns is the speed at which we’re moving — the rush to migrate, the rapid introduction of new security services and tools, how a malicious attack can transform your business overnight — is working against the application of best practices. Skills factor into this, but I also think there is a lack of awareness of the security services and tools available to mitigate such risks. AWS recently released its Certified Security Specialty Exam, which is a great opportunity to learn about all of the core services available (infrastructure security, identity, and access management, encryption mechanisms, data protection, logging and monitoring and incident response) to keep data and applications safe, even if certification isn’t your goal. Recently, AWS launched a new certification, the AWS Certified Security Specialty exam, which allows security professionals to validate and demonstrate their knowledge across areas such as infrastructure security, identity and access management, encryption mechanisms, data protection, logging and monitoring, and incident response.  These certifications relating to cloud security help professionals and the companies they work for, demonstrating their skills and understanding which offers a level of reassurance to all.
  • The never-ending onslaught of security threats, especially phishing and hacking attempts, means that everyone inside a company needs to be responsible for security and have the resources to do so. Security teams must play a major part in making security a focus of business culture by acting as the main advocates for more holistic, collaborative security. 
  • As enterprises are increasingly moving to the cloud, there’s a significant shift in the ownership of security towards a shared responsibility model between the cloud provider and the customer. Largely, aspects of infrastructure security, basic network security, and IAM are in the cloud provider’s domain, while application security is solely the customer’s responsibility since the cloud (IaaS) provider is deliberately uninformed of the nature of the customer’s application workloads. The issue is that many enterprises have been slow to make that shift, in terms of budgets, in-house expertise, and attention. Essentially, they are fighting yesterday’s battles, while the market, and the nature of attacks, are shifting. It will take time for organizations to close the knowledge and skills gap around these new cloud-native technologies.  This is creating severe gaps in cloud security where we see incidents due to very basic lack of security best practices, monitoring, and enforcement. The recent breach at Tesla, which was due to an unauthenticated, publicly visible Kubernetes console, is an example of such a gap. 
  • Yes, with evolving attacks by severity and frequency, lack of employee security awareness training, and a lack of IT security professionals (i.e. shortage to fill all the possible IT jobs), the stakes are never higher than they are today.  Even if we don’t know what we don’t know, there may not always be staff to tackle security issues as dedicated and detailed as it may require.

Governance/Policies

  • Not knowing where all of the data is and not having a governance policy that’s codified for managing data.
  • Two levels of maturity: the paranoid and the stork. The paranoid try to over-engineer for security. Multi-layer upon multi-layer. The other extreme needs to do all that, but they're working on it with no processes and policies in place so no progress is made. Sadly, you can see the same extremes in the same organization due to teams or silos. 
  • Attend any conference, and you will see the proliferation of development-focused security tools. There are so many brands and categories promising to catch and detect what their competitors cannot.  However, while there is a role for technology to enhance a development team’s security practices, it cannot replace security fundamentals. Often, we see organizations focusing too heavily on technology solutions and not enough on improving the basics such as training or recruiting the right mix of personnel or periodically evaluating the mix of technologies deployed across the enterprise to ensure full coverage and optimal operation. Either could lead to gaps in people, processes, or technology, putting the organization at serious risk. 
  • Application development and deployment are being revolutionized with containers, and it’s easy to lose focus on security when the pipeline is becoming so automated. However, there is a better opportunity now to automate the application security policies as part of the workflow
  • Yes. We have been talking about security for decades, but problems still persist. By now, we should no longer be struggling with the fundamentals. Part of the problem is a lack of empirical models that describe cybersecurity. A lot of our evidence is experiential, which is necessary to have. But, we need to get to a consistent set of models that explain this domain. There has been some work done on attack trees, requirements, and the SDLC, but we still have a long way to go. 
  • Lack of knowledge. We're doing what we've never done before, and no one knows how to secure it relative to the sophistication of attackers.

Check out tomorrow's post where we discuss more research findings on the major problems in security. Stay tuned!

Here’s who we talked to:

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}