We asked 19 executives who are involved with application security how they have seen application security evolve over time.
Here's who we talked to:
Sam Rehman, CTO, Arxan Technologies
John Pavone, CEO, Aspect Security
Jon Gelsey, CEO, Auth0
Mark O’Neill, Vice President Innovation, Axway
Walter Kuketz, CTO, Collaborative Consulting
Rami Essaid, CEO, Distil Networks
Alexander Polyakov, CTO, ERPScan
Deena Coffman, CEO, IDT911 Consulting
Craig Lurey, CTO and Co-Founder, Keeper Security
Max Aulakh, CEO, MAFAZO
Jessica Rusin, Senior Director of Development, MobileDay
Kevin Swartz, Marketing Manager, NowSecure
Julien Bellanger, CEO and Co-Founder, Prevoty
Kevin Sapp, VP of Strategy, Pulse Secure
Chris Acton, Vice President of Operations, RiskSense Inc.
Amit Bareket, CEO, SaferVPN
Walter O’Brien, Founder and CEO, Scorpion Computer Services
Francis Turner, VP Research and Security, ThreatSTOP
Ari Weil, Vice President of Marketing, Yottaa
Here's what they had to say when asked "How has application security evolved over the time?":
Started with MD5, which was easy to hack, to the evolution of encryption algorithms. People used simple algorithms that were easily cracked, then to SHA and 256 bit. Stronger hashing algorithms to zero knowledge (encrypting data) between the application and server. Tools and hacking techniques are improved.
We’ve gone from static checks and bug fixes to a larger scale threat model with hack banks and realistic scenarios with tools to augment. We do not have realistic intelligence. A lot of false positives with the tools that are out there right now. We haven’t figured out how to use data for large scale security development.
Evolved from the payment card industry from 10 years ago. Now the government is driven by federal and state standards. There’s a paradigm shift in business - everything is driven by risk - how much does it cost to protect the data, how much do I lose if the data is compromised?
AppSec services which include software and people who understand security that can give customers a list of vulnerabilities and a solution for fixing them.
Improved user experience for security vendors. Cloud and mobile have changed the game. Apps are no longer running in data centers behind firewalls. There's no traditional security perimeter. More focused on moving security to the app. Hybrid IT is becoming the norm and this results in a much more complicated security model.
There’s more awareness than there used to be but I’m not sure there’s been much evolution. The cloud has made massive changes to apps and app security in the last five years. Before, these were behind a corporate firewall. We’ve sacrificed security for convenience (e.g. access through mobile devices).
It’s taken more seriously now as things are not behind a firewall. There’s more emphasis on the cloud and more emphasis on tools. A shift towards apps having dual authentication and several layers of security. Devices are beginning to use fingerprint sensors.
The challenges have evolved. Static apps have become distributed aggregations of links and endpoints. Use cases have transitioned from reading brochureware to having personalized, engaging experiences tailored to device & browsing context. Threats have evolved to include volumetric (e.g. DDoS), slow, malware, malvertising and man-in-the-middle types of attacks including request forgery, sql injection and cross-site scripting exploits of the code.
Reactive - finding vulnerabilities and it’s the security team’s job to fix them. This is where most industries are today.
Proactive - have knowledge and training, security by design, focused on fixing versus finding.
Predictive - continuously monitoring so apps know when they are being attacked and can respond accordingly. Bring into the SDLC so you can do threat monitoring while developing. Refactor/reengineer into the development process.
We're finding holes in web app security because of the lack of evolution. Niche player looking for specific problems. More automation has been great - use code integrators to test code checking for bugs and vulnerabilities.
Awareness and visibility of privacy and security issues in mobile apps. Different between traditional PC and mobile devices. Over-permissioned mobile apps.
App security has evolved along with mobile operating systems and programming frameworks. The kinds of attacks and vulnerabilities are evolving at the same rate. It’s a struggle to keep up. Attacks are an order of magnitude more sophisticated than 10 years ago.
Apps have become more advanced. Samsung Knox was subject to a lot of research and found to be far more vulnerable than people expected. Samsung learned they needed to use a VPN on top of Knox. Things are much more complex and advanced.
Web security has evolved to mobile app security. People are aware of the breaches, as well as the fact that if you put an app in the cloud, you will get people probing for vulnerabilities. More understanding that it’s not just hard but there’s also more machine-to-machine traffic and more API keys which result in more vulnerabilities. API security is tied to OLAF.
Not quickly enough. It’s slowly but surely getting a higher profile, becoming more important earlier in the process. It should not be confined to developers. For example, payroll applications are sold to HR with security settings that are off by default. HR doesn’t talk to IT because they don’t think to and the payroll system gets hacked. Implementation is so important security is never addressed. Silos are the enemy of security.
Awareness. Everyone talks about cyber security but people mistake talking with doing. No one is actually doing anything. There’s no effect other than insurance rates are increasing. Does anyone care? It’s not unfixable. Ransomware will keep growing. It’ll take someone stealing $10 million and insurance not covering the loss before companies start taking security seriously.
User awareness as consumers are hit in the face every day. We’re at the inflection point of the curve. We’ve been going along for the last two years people dealing with the daily onslaught of medical records online, mobile phones being locked. XCode Ghost resulted in Apple apps being built with vulnerabilities. Tool kits to build apps have been compromised. Enterprise IT, who used to be walled off and secure, are now using HTTPS. More intense focus on security.
We’ve moved beyond dynamic key protection. Constantly morphing with more self-checking and self-adjusting. Predictable machines can be reverse engineered, unpredictable machines cannot. Apps are smarter as are hackers.
How have you seen application security evolve?
What does the future hold?