To gather insights on the state of application and data security, we spoke with 19 executives who are involved in application and data security for their clients.
Here’s who we talked to:
Sam Rehman, CTO, Arxan | Brian Hanrahan, Product Manager, Avecto | Philipp Schone, Product Manager IAM & API, Axway | Bill Ledingham, CTO, Black Duck | Amit Ashbel, Marketing, Checkmarx | Jeff Williams, CTO and Co-Founder, Contrast Security | Tzach Kaufman, CTO and Founder, Covertix | Jonathan LaCour, V.P. of Cloud, Dreamhost | Anders Wallgren, CTO, Electric Cloud | Alexander Polykov, CTO and Co-Founder, ERPScan | Dan Dinnar, CEO, HexaTier | Alexey Grubauer, CIO, Jumio | Joan Wrabetz, CTO, Quali | John Rigney, CTO, Point3 Security | Bob Brodie, Partner, SUMOHeavy | Jim Hietala, V.P. Business Development Security, The Open Group | Chris Gervais, V.P. Engineering, Threat Stack | Peter Salamanca, V.P. of Infrastructure, TriCore Solutions | James E. Lee, EVP and CMO, Waratek
Here's what they told us when we asked them, "How is the cybersecurity threat landscape changing?"
- I helped create the OWASP top 10 in 2002 and have updated it every two years since then. The OWASP 10 were supposed to be the foundation or floor; however, it’s turned into a ceiling. Software companies have not stepped up with regards to security. There are a few new attacks, vectors and injections like Java serialization. You must adapt and shift. Real changes in software are rocketing ahead with Agile, DevOps, and tools. Software libraries are larger and more complicated. There’s an inversion of control and it’s harder for the tools to work. There have also been an explosion of web services and APIs and an inability to understand the data that’s being put in front of them. Instead of scanners, you need continuous monitoring of applications in production. It becomes part of the application’s job to assess and protect itself. You must maintain a vision across hundreds and thousands of applications. Security must be monitoring not just accessing. There is not sufficient bandwidth. There must be automation.
- Today everyone inside your company is a threat because of the number of devices they have and the fact that they’re all connected to the internet. People don’t generally know what data resides in the cloud. There is a greater understanding among enterprises of their exposure and the need to protect identity and access management to the data itself, and authentication. We protect internal users when they’re sharing information with outsiders.
- Many more cyberattacks (10X). Data breach at Oracle, hacked support portal, infected point of sale systems in almost every retail store. The focus of the attacks has changed from users, credit cards and malware, to industry specific vectors like oil and gas and retail. Open Source software can be hacked by cyber criminals changing the code and then developers picking it up and using it everywhere. We typically don’t use Open Source frameworks unless we have to.
- More living off the land and less use of custom tools. Many are using existing tools like Microsoft PowerShell. It requires more than antivirus.
- It’s shifted from system administrators to overall DevOps to understand the underlying framework. Developers have become more important to security development. The validation side is interesting with the Open Source movement, everything is in libraries and everyone is quick to add a new library. However, a lot of libraries have compromised versions, as such you must be aware of what you are using. Use libraries that have been developed in a way consistent with how you develop.
- A lot of new threats and the old ones are still around. With SaaS and IaaS there’s more in the cloud. Next wave with IoT leads to more threats to the consumer’s home. A significant increase in the opportunities for hackers. Inspect devices between devices and cloud. IoT products are way ahead of security. Think about the impact of properly securing your services. The surface area is massive. Developers need to think about security as a requirement.
- Notion of advanced persistent threats focused on different IP structures are here to stay. ICS system security – the power grid and all sorts of things – contrary to the early days. Shutting down a power grid is a major threat.
- Platform and security tools block the endpoints without using signatures or detection. Malware and execution of unauthorized code has become more difficult in the last five to ten years. Most are built on a certificate of trust with root certificate authority. People don’t handle code signing certificates well. If you have protected endpoints and certificates, the soft underbelly is the source code. There is more focus in development on the front door. Windows TMP has no way to circumvent so using a commercial app as a Trojan horse is the only way in. Prevent human infiltration with static analysis and code review.
- IoT is the most concerning. There will be a lot of roadkill on the way like the Knight Capital deployment scenario that put them out of business. Public awareness is keener with all of the news coverage of breaches like the VW’s being able to be unlocked. Companies must respond quickly and effectively but they have no way to deploy the patches. There are far more cars than servers. Prius have to come in for USB stick firmware upgrades while Tesla’s get their upgrades over the air. We must get customers out of making updates – remove human intervention. Nest updates itself by talking to my phone and pushes updates without election. I believe this is the best course of action.
- Change in threats from what people are looking for. They used to be interested in credit card data. They’re now going after personal identifiable information (PII) for identity stealing like passports and social security numbers. They can get $100 for a passport and social security number. Hotels make photocopies of passports and then store them and get hacked. There has been an ongoing industrialization of of hacking which has become much more professional with nation states and companies focused of getting PII since it is so valuable.
- Companies have no idea what Open Source they are using; therefore, when a vulnerability is identified, they do not know if they are impacted. This is not a one-time event. There have been 50 additional vulnerabilities to SSL identified since Heartbleed. There are 15 to 20 new vulnerabilities to Open Source identified every day. Companies are playing catch up to determine what they are using.
- More defenses providing more sophisticated security solutions; however, the hackers are becoming more sophisticated as well. You can never have enough security, that’s why we’ve integrated four products to provide a unified solution. Companies are looking for faster, cheaper, more agile compliance. They need an integrated system to meet all of their needs.
- From secure web gateway, analyze malicious script read code and see if it exposes vulnerabilities. Network security is now a commodity (i.e. Checkpoint, Palo Alto) with firewalls. Today network security is there but attacks are taking place at the application layer. They are looking for bugs and vulnerabilities they can penetrate given the integration of front ends and back ends.
- Pick your source, but experts – and our clients – generally agree that the number of vulnerabilities are increasing and the ability of Dev Ops and App Sec teams to keep up is decreasing. Gartner predicts that 99% of all successful exploits through at least 2020 will be a vulnerability known for one year or longer. Oracle just released a Critical Patch Update with the largest number of patches ever released – and they expect the size of the recent release to be the norm going forward. These all point to the fact that attempts to “just write better code” and traditional App Sec approaches along cannot stem the tide of vulnerabilities and successful breaches.
- As you move away from protecting the infrastructure at the network level, you need to understand workloads and users’ needs and wants. Be aware of workloads and be able to trace back through workloads and processes. Educate with regards to DevOps workflow. Greater agility equals greater responsibility. The cloud environment is hostile. You need to know how to lock down your application and access patterns. Roll security into operational frameworks by starting earlier in the SDLC. If you do it correctly, it scales easily.
- Increase in zero-day threats in which you must respond in real time. More security tools are behavioral to see changes in traffic patterns. You can put traffic generators in the sandbox but they don’t provide sufficient variance in data to validate the devices.
- There is an overall trend away from “destroy” to “discover and steal” or even “blackmail.” Take the recent ransomware which was pretty much spread everywhere. Also the amount of very targeted attacks is increasing overall. In the particular areas where we help our customers we see a growing concern with API breaches. If you consider recent hacks like Telegram API, Nissan Leaf, Dominos Pizza, etc. it becomes very obvious that enterprises have to consider API security more seriously.
- The old threats have been automated. They have more tools and services. Countries and businesses are providing root kits and services to other hackers because there’s so much money in it. Big data is a huge target for hackers. They are able to poison smart, intelligent fraud protection with noise. Hackers are pushing the envelope while companies are spending money on perimeter-based security which should be a given. Adding firewalls get you nowhere. The three areas with the most overspending are: 1) fraud protection; 2) perimeter; and, 3) key sets on the backend. We need to divert dollars to mitigation with agility and automation. Be able to match the velocity of the hackers. Automate as much as you can for predictability. This builds trust so security engineers can think about higher-level issues. Agility is the variable reacting with fluidity – ethical hacking, strong red team, strong chief security officer. Hackers leverage the power of the cloud using P2P hacks to run experiments versus companies. Run experiments with distributed computing and scapegoats. We also see weaponization with hackers turning apps into something that hurts people. Xcode ghost was a compiler that poisoned more than 500 apps. Now injection can take place and do bad things. The level we’re seeing is much higher because there’s more to gain. It’s at a whole new scale. The number of layers to attack have increased. A sandbox is just another perimeter security. A jail broken device is a hacker tool breaking what Apple has broken. Applications need to be secure unto themselves.
- Today it’s all about money versus screwing up code or a website. Ransomware, spoof emails from c-level executives requesting money transfers. Educate users to be smarter but they’re still going to click on an email by accident and download a corrupt file.
What changes are you observing in cybersecurity?