To gather insights on the state of application and data security, we spoke with 19 executives who are involved in application and data security for their clients.
Here’s who we talked to:
Sam Rehman, CTO, Arxan | Brian Hanrahan, Product Manager, Avecto | Philipp Schoene, Product Manager IAM & API, Axway | Bill Ledingham, CTO, Black Duck | Amit Ashbel, Marketing, Checkmarx | Jeff Williams, CTO and Co-Founder, Contrast Security | Tzach Kaufman, CTO and Founder, Covertix | Jonathan LaCour, V.P. of Cloud, Dreamhost | Anders Wallgren, CTO, Electric Cloud | Alexander Polykov, CTO and Co-Founder, ERPScan | Dan Dinnar, CEO, HexaTier | Alexey Grubauer, CIO, Jumio | Joan Wrabetz, CTO, Quali | John Rigney, CTO, Point3 Security | Bob Brodie, Partner, SUMOHeavy | Jim Hietala, V.P. Business Development Security, The Open Group | Chris Gervais, V.P. Engineering, Threat Stack | Peter Salamanca, V.P. of Infrastructure, TriCore Solutions | James E. Lee, EVP and CMO, Waratek
Here's what they told us when we asked them, "What are some real world problems being solved by securing applications and data?"
- The problems that are solved are those that are never seen – hacks that never happen. Application security stops financial disasters at the Federal Reserve and the IMF. Others enable communications for national defense. Software is eating the world. There are huge efficiencies being driven but these are open to new attacks with everything being on a computer. The potential cost to the reputation of a firm is billions of dollars.
- A lot of organizations share information with an auditor. How much does the auditor secure the data? Maintain control with a policy whereby access to the data expires after two weeks. This is key for financial institutions. Sharing and controlling information that doesn’t need to leave the organization – H.R., finance, and legal.
- 1) Oil and gas company wanted to understand and prevent attacks on their incident command system. Analyze how hackers are getting access from enterprise apps to the operations network. We identified multiple ways the hackers were able to attack and evaluated the criticality and vulnerability of the data and helped remediate the most critical invasions. We are working on additional projects to close all of the holes. 2) A company wanted to secure its new development for SAP without implementing a new SAP system in their infrastructure. We provided security as a service in the cloud whereby we automatically identified vulnerabilities, provided corrections, fixed false positives, sent the corrected code back to the client. We do this for them monthly as part of their release cycles.
- We’re not solving the problems. They keep cropping up with OPM, DNC, and Clinton email breaches. We do not have proper application based security.
- PCI implementation. While this can be daunting, it’s mostly scare tactics versus providing clients guidance the way we do. If you're level four you answer 200 questions and have a firewall. Level one is more but those companies can hire a qualified security associate. OWASP 10, common sense, education – freelance analyst needed to document what they were doing with the data to keep the customers’ information safe.
- 1) Kilowatts For Humanity harnesses the wind and sun to provide power in rural Africa a U.S.-based infrastructure to run it. 2) A cloud email provider, similar to Google apps for domains, is operating multiple tenant private networks with block storage for security. Leveraging SSL heavily with storage encrypted on disks.
- Standards. Open fair – vector analysis risk. Financial services companies use to measure risk and determine what will add the greatest value.
- Privilege management, access control, isolation can all be effective with ransomware and other data security issues.
- 1) Aerospace company makes rockets in a highly regulated industry that requires audits after every iteration – why the change was made, how was it tested, when was it developed. It used to take two weeks. With an automated pipeline it takes one hour to audit and govern reducing resource waste. Huge improvement in performance of doing big deployments. 2) Financial trading company has a two-hour window to deploy into production but couldn’t touch the entire infrastructure during the two-hour window. 3) Reduce mean time to failure with recovery, remediation and application of the process all taken into consideration. United.com won’t run on beta Chrome because of the requirement for enables transparency checking for the certificate. Haven’t been able to access the website for three days.
- ID verification – companies don’t have to maintain IT security experts and a secure communications path solved for customers while storing their data and protecting data at rest with encryption. Airbnb’s core competency is not security. We solve that for them worldwide.
- We help companies avoid data breaches and loss of intellectual property. In financial services there are vulnerabilities for web apps in Struts exploited by hackers to gain access to financial information. We scan older apps to see if they are vulnerable to versions of Struts, clean up and put in the appropriate safe guards. We scan new applications. Supply chain and monitoring apps. Acquired and used by the client. Certify apps provided by the bank. Also scan applications and containers for open source components and monitor for vulnerabilities.
- We mask information for clients who have specific compliance needs. For example, healthcare companies need to be very careful with PII to meet HIPPA requirements. Developers and testers cannot see secure patient information. We can mask that information or restrict access. When moving to the cloud with active data, developers need to have access to the cloud active directory as well as be logged in to the LDAP. Business intelligence databases will be in the cloud for a short period of time but you need to define the users and access permissions while it’s up and running in the cloud.
- Developers are not part of the effort today. Deliver functions within given timeframes. DevOps make things happen quickly. Security slows down the process. Need to integrate at a fast pace where the developers are comfortable adopting the solution. Provide efficient tools. Get developers to adopt and integrate security tools into the SDLC without slowing down the process. Integrate security in every phase of the SDLC. It’s critical to ensure the developer can maintain their pace of work. Scan incremental pieces of code so it takes five to 10 minutes rather than several hours. Make it simple for developers to resolve problems with immediate feedback loop and provide solutions to address vulnerabilities. Make it easier for the developer to follow.
- No matter the size of an organization, two app sec issues almost always float to the top: the risks that come from not staying current with patches – think ransomware in hospitals most recently – and the vulnerabilities embedded in third-party code components that can turn into exploits as we saw in 2015 at PayPal. Automate and reduce the patch cycle – which can run for months or more than a year for large organizations – not only improves app security, it saves money and allows over-burdened staff to focus on higher valued activities.
- We are heavy Slack and Pager Duty users. Our alerts go to Slack and we can adjust security policy and alert rules. Make security something everyone can understand and contribute to.
- Enable companies to test apps with real user data to validate their accuracy and safety before putting on the web.
- We deal a lot with customers from finance, insurance and healthcare. By nature, those types of enterprises are pretty security oriented while at the same time the pressure caused by digitalization initiatives is increasing. We help customers from the finance industry create better customer experiences through omnichannel presence for their customers. Omnichannel initiatives need secure data access which we provide with our API management products. API calls are secured and monitored. Threats are prevented and due to the nature of APIs innovation becomes easier. That’s just one example. Other examples are from the healthcare industry where we ensure data transfers containing regulated and sensitive data are secured (non repudiation) and monitored. In this context it’s also important to make sure the transfers are executed in a timely manner.
- Prevent apps from being hacked and ultimately used as weapons.
- We’ve secured the data for hundreds of clients with no incidents. Peace of mind.
What real world problems do you see being solved with application and data security?