Over a million developers have joined DZone.

Executive Insights on Proactive Security

DZone 's Guide to

Executive Insights on Proactive Security

Executives from across the tech industry shared their thoughts with us on the state of security and how to move it forward. Here's what they had to say.

· Security Zone ·
Free Resource

This article is featured in the new DZone Guide to Proactive Security. Get your free copy for more insightful articles, industry statistics, and more!

Quick View:

  1. While awareness of the importance of security has grown with more high-profile hacks, lack of emphasis from C-level executives continues to make it a low-level priority.
  2. Companies are slow to adopt a sound security strategy in which they identify their most important assets and allocate security budget to protect them.
  3. There is an opportunity and need for a fundamental shift in security constructs and workflows to align with enterprise trends to achieve agility and business goals.

To gather insights on the state of proactive security today, we spoke to 25 executives from 25 companies who are familiar with the current cybersecurity threat landscape and the actions being taken to mitigate the damage being caused. Here’s who we talked to:


Key Findings

  1. The most important elements of security are following the fundamentals of secure coding and putting a high priority on the security of what you are developing and sending to production. Companies need to educate entire development and production teams on security best practices and ensure everyone is following them. There are too many insecure coding practices – especially with regards to new technologies like cloud, mobile, IoT, and even web apps. People have forgotten what they know about security when working on new platforms. We will have a significant reduction in attack vectors if we follow secure coding best practices. Companies also need a “security-first” mentality which starts with prioritizing what’s most important to secure since you cannot secure everything: security by design. Security is not a plug-in, it must be established early in the SDLC and maintained through production. Finding and fixing security bugs in the development stage is much cheaper than finding bugs during production. The bugs are easier to fix, and this approach results in more profitable code and applications over the long-term. 
  2. The cybersecurity threat landscape is changing on two fronts: 1) the number of threat vectors; and, 2) the sophistication of hackers. The proliferation of mobile, IoT, cloud, and cloud-based applications have increased the number of endpoints and threat vectors exponentially. All of this presents a greater risk. Security best practices have been around for 20 years, but app and IoT developers fail to follow best practices. We see a lot of insecure coding calls that don’t track user bounds and lead to buffer overflow – a problem that was solved years ago. It’s a mess that’s going to get worse. IoT devices are not being patched. These present a challenging operational capability since we’ll have more than 40 billion devices by 2020. We lack the talent and capability to prevent breaches today. The biggest challenge is educating those who are not educated, as well as the people who don’t know what they don’t know and are not interested in hearing about the importance of security. We still have politically motivated attacks; however, new groups with new tools are as sophisticated as nation-states. Threats are multifaceted using well-known infrastructures like Twitter and DropBox that serve as an obfuscation layer. Criminals are making more money from the Internet than any other source. Companies are making six-figure ransomware payments that are unreported because they do not want the negative publicity. Most attacks today are at the application level. Hackers don’t need to struggle with firewalls and IPS systems when they have access to applications that provide a direct communications channel to enterprise data. 
  3. While a lot of security techniques were suggested as being effective, the most frequently mentioned were continuous threat management, which includes real-time visibility and automatic responses to threats and intrusions. This enables you to see vulnerabilities and intruder activities as they move around the network so you can determine what portion of your network has already been infiltrated and what information has been compromised, as well as continuous threat management and timely incidence response. Continuous threat management does not diminish the importance of maintaining security best practices, good data hygiene, a sound security strategy based on the prioritization of protection, security by design, and pursuing holistic hybrid security solutions. 
  4. Not surprisingly, financial services is the most frequently mentioned industry that benefits most from security, followed by healthcare, manufacturing, and retail – because that’s where the money is. The most frequent work is around securing applications, devices, and APIs. Security companies are also preventing malware, phishing, and ransomware attacks, as well as identifying and visualizing where attackers are in the network. They’re helping companies move to the cloud and share data securely across networks through encryption. Security companies are also helping clients understand best practices and inculcate security tests to prevent future damage. 
  5. Issues affecting security are diverse and seemed to fall into five broad categories: 1) awareness and knowledge, 2) bad practices, 3) velocity and scale, 4) risk assessment; and, 5) visibility. Many people in organizations still need to be educated on the importance of security overall, as well as basics like encrypting plaintext data, how to set up and use security software that’s already been purchased, connecting to malicious websites, and the lack of skills and knowledge to implement a secure network or applications. 

Poor practices and lack of security policies are also hurdles to be overcome. Developers are using insecure coding practices and leaving behind crypto keys. There’s poor data hygiene and systems not being properly patched in a timely manner, if at all. Security best practices are not followed due to a demand to get to market as quickly as possible, so controls fall through the cracks. There is particularly a lack of policy and procedures for developers. Other departments are procuring and producing their own solutions outside of the IT department’s knowledge, which is known as shadow IT.

The cybersecurity threat landscape is changing quickly and companies are not prepared to handle the speed or scale of the change. The volume of incidents can range from 1,000 to 10,000, to 100,000 per day depending on the industry and company size. Automated tools are required to handle this volume of incidents. There is a myriad of tools to choose from, and they typically require a knowledgeable security professional to set up and interpret the results. Multiple tools are required to implement a holistic, hybrid security strategy, which is necessary for a company of any size.

Only the most sophisticated companies are performing risk assessments (risk = threats x vulnerabilities x assets) to inform their security strategy and budget planning. Few know what’s on their network or where all their data lies. This is a requirement to make an informed decision about where investments should be made in security. You need to put your dollars into protecting your most important data.

Lastly, there is a lack of visibility into, and control of, cloud applications, as well as a lack of ability to monitor and respond to threats in real time

  1. Concerns regarding the current state of security are diverse as well; however, one prevailing theme is that attackers are winning the war by becoming more sophisticated and spending more money on hacking tools than companies are spending on security. Hackers are now offering ransomware-as-a-service, and the adoption of cloud, containers, microservices, and IoT is moving so quickly that it’s difficult for companies to keep up with security best practices, let alone stop the bad guys. Companies need to change their state of mind and assume they’ve already been breached. Every company audited has been breached. 
  2. AI (Artificial Intelligence) is the greatest opportunity for security to improve. AI will automatically learn threat detection without human interaction. AI, machine learning, and deep learning will all enable improvements to security, along with sensors around the world detecting anomalies – differentiating between good and bad behavior. 
  3. Developers need to keep security in mind from the beginning of the software development lifecycle. Security should always be structured in upfront application design. Know the policies and procedures that will make your applications secure. Eliminate SQL injections and cross-site scripting (XSS). Secure code reviews increase your ability to see ways to secure your code over time. Focus on security by design and you will have a lucrative career. Look at the 25 worst security flaws and ensure what you are developing doesn’t have any of these. Don’t grab code from Stack Overflow, or anyone else, and put it into production without testing it first. 
  4. Developers and security professionals need to collaborate for companies to have a stronger security posture. For this to happen, developers need to keep their egos in check while security professionals need to stop spreading fear, uncertainty, and doubt. The two groups should work together to solve problems, share best practices, scan code for vulnerabilities, and provide correction and virtual patches so everyone can share the information necessary to solve issues while learning from each other. More collaboration will result in stronger, more secure code and networks.

This article is featured in the new DZone Guide to Proactive Security. Get your free copy for more insightful articles, industry statistics, and more!

security ,secure code ,cybersecurity ,iot security ,cloud security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}