Techniques and Tools for Application and Data Security

To gather insights on the state of application and data security, we spoke with 19 executives who are involved in application and data security for their clients.

Here’s who we talked to:

Sam Rehman, CTO, Arxan | Brian Hanrahan, Product Manager, Avecto | Philipp Schone, Product Manager IAM & API, Axway | Bill Ledingham, CTO, Black Duck | Amit Ashbel, Marketing, Checkmarx | Jeff Williams, CTO and Co-Founder, Contrast Security | Tzach Kaufman, CTO and Founder, Covertix  | Jonathan LaCour, V.P. of Cloud, Dreamhost | Anders Wallgren, CTO, Electric Cloud  | Alexander Polykov, CTO and Co-Founder, ERPScan | Dan Dinnar, CEO, HexaTier | Alexey Grubauer, CIO, Jumio | Joan Wrabetz, CTO, Quali | John Rigney, CTO, Point3 Security | Bob Brodie, Partner, SUMOHeavy | Jim Hietala, V.P. Business Development Security, The Open Group | Chris Gervais, V.P. Engineering, Threat Stack | Peter Salamanca, V.P. of Infrastructure, TriCore Solutions | James E. Lee, EVP and CMO, Waratek

Here's what they told us when we asked them, "What kind of security techniques and tools do you find most effective? Least effective?"

• You need to be able to see what’s going on inside the application. Automation gets security people out of the critical path of software development. You cannot scale without automation. You must automate so ordinary developers and testers can build secure apps on their own without relying on security.
• It depends on the problem. Files within an organization need to be encrypted with a policy. The number of ingress points cannot be controlled or closed.
• Identify security issues by mixing static, dynamic and interactive code runners. All have advantages and disadvantages so use each one in different stages of development. Prevent security issues by using a combination of different approaches like signature and anomaly-based detection.
• A combination of automated security and antivirus with heuristics. Aid and interrogation of the machine. You cannot fool both a human and a computer at the same time. Use both together. If I’m on the offensive, I buy all of the defensive tools and test my offense against them. I know what defensive tools are vulnerable to what offensive tools. I would not deploy an offensive tool unless I know it can get by the defensive tool. Automation by itself won’t work. Augment with humans to find deficiencies. On the other hand, you need to use technology as well since one human cannot protect 10,000 computers. Target was inundated with alerts and did have the bandwidth with their IT staff to address them all.
• Virtual Private Clouds (VPCs) – learn how to configure based on the software tool. VPCs can be configured in the GUI to set up all rules similar to firewalls and can be routed to different destinations. The same is true for VPNs. For AWS, a number of different clients can connect in different ways that enable export configurations. Add two-factor authentication.
• Use basic encryption at every possible place. If smaller developers without resources like PCI partners with people who can. Don’t store credit card data. Store the information with a partner with tokenized billing. More encryption at all layers. “Let’s encrypt” – Open Source free SSL service. Tutorials on knowledge base. How to do security on your servers. Deploy and use SSL layer. No keys on the application or the device. Take advantage of cloud service providers’ offering. Google is now penalizing websites that do not have an SSL.  
• Not specific. Guidance about how to get programs right. Have a well thought out architecture. Understand risk. Where are the significant IT assets? What’s the impact driving the security controls you put in place? SANs top 20 critical control; however, most companies only have the budget to implement one per year to mitigate risk.
• Platforms can be the foundational element of authentication, authorization, and other techniques for getting back to the basics. You will still need to segregate access to secrets. Best practices are to use frameworks, testing, and enforcing to get compliance. There is variability to how well binary uses security. Windows 10 enforced development standards, this resulted in a tighter app since they used best practices. Combine static and dynamic security as architectural changes are made to applications. The worst practice is organizations chasing headlines buying tools to prevent ransomware or SQL attacks rather than taking a strategic approach to build with tactics to address strategic problems.
• Fundamental security has to be baked into the architecture (e.g. encryption when in transit, when at rest, and when flowing between data centers. You must be able to explain quickly – uncomplicated and straightforward. Know the architecture and the approach to security. Trust and verify using regression testing to catch errors. We just did an open SSL upgrade and found bugs in our code with certificate chains and implementation. Have a robust and rigorous test infrastructure. Stay on top of vulnerabilities in open SSL and operating systems. Heartbleed would not have happened if they had unit testing for the code. They’re currently scrubbing SSL for releases and patches. You must stay on top of these things. You need security audit tools. Do third-party library audits. Understand the subtleties and implications. DOS maybe OK behind a firewall but it’s a huge issue if in the cloud. There’s a signal to noise ratio problem – where to put the wood behind the arrow. SaaS products are much easier problems to solve. Firmware IoT upgrades are made over the air or in person.
• Secure SDLC process. There is no time to add security on top of what you’ve already built. A web application firewall will protect against those intrusions you have not thought about. OWASP 10 is best practice for web apps. Every developer and QA should have these 10 requirements memorized and take them to heart. Most of the big holes in applications can be fixed if the developer or company followed the OWASP 10. We also employ penetration testing by external companies and perform internal penetration tests on our own servers. These are two essential tests.
• Increase the amount of communication around secure programming techniques and using static and dynamic analysis to improve code quality. Know what Open Source you are using. We use a variety of techniques to ensure our own code is safe.
• The four pillars as well as a firewall layer and defining sensitive information and where it exists. We have a sensitive data discovery tool that showed one client storing the second credit card in a notes field. We monitor for, and mask, such data.
• Static testing but everything is important throughout the SDLC – a layered approach. At the end of the process run penetration testing and dynamic analysis. Reduce the effort required at the end of the application development.
• The push to write better code is a fool’s errand when it comes to app security, so that clearly goes into the least effective category.  It is a great goal, but just like no security product is 100% fool-proof, the idea we can improve security dramatically through better code is unrealistic given the amount of vulnerabilities embedded in 3^rd party libraries and central repositories. The most effective defense remains a combination of code testing during development and smart products that allow Dev Ops and App Sec teams to be more collaborative, strategic, efficient and effective.
• Leverage core capabilities of cloud storage provider like AWS security groups. Different vectors to run tools for (i.e. log in events, all system access, what workloads are doing). Get a handle on vulnerable assessments. A lot of tools but no unified context. We correlate data from multiple sources to help clients make informed decisions. Strengthen DevOps as it becomes responsible for security.
• Test everything in a sandbox with real data before introducing to the real world.
• At some point people tried to solve a lot of security concerns by containerizing the apps especially in enterprise contexts. I would rate this to be quite inefficient and not addressing the root cause. In regards to establishing trust between the frontend apps and backend APIs certificate pinning is something that is necessary and not done enough.  Combined with some basic security practices like AWS style API keys and some basic quota setup, companies would be on a good course to preventing the first level of attack vectors. Overall people have to realize that a technology driven approach has to always be embedded into a process that reconsidered the situation and tries to create awareness on all fronts for the challenges.
• Holistic end-to-end solutions that bind the client side and the server side while also understanding the behavior to which the app is being subjected.
• We partner with Alert Logic who puts IDS and IPS appliances in front of firewalls and conduct log tracking. They’re the security experts but with both see the alerts, alert the client and take action. It takes two to three months to tune the threat detection software.

What techniques and tools do you use to secure applications and data?