We asked 19 executives who are involved with application security what they consider to be the biggest obstacles to the success of application security initiatives at a company.
Here's who we talked to:
Sam Rehman, CTO, Arxan Technologies
John Pavone, CEO, Aspect Security
Jon Gelsey, CEO, Auth0
Mark O’Neill, Vice President Innovation, Axway
Walter Kuketz, CTO, Collaborative Consulting
Rami Essaid, CEO, Distil Networks
Alexander Polyakov, CTO, ERPScan
Deena Coffman, CEO, IDT911 Consulting
Craig Lurey, CTO and Co-Founder, Keeper Security
Max Aulakh, CEO, MAFAZO
Jessica Rusin, Senior Director of Development, MobileDay
Kevin Swartz, Marketing Manager, NowSecure
Julien Bellanger, CEO and Co-Founder, Prevoty
Kevin Sapp, VP of Strategy, Pulse Secure
Chris Acton, Vice President of Operations, RiskSense Inc.
Amit Bareket, CEO, SaferVPN
Walter O’Brien, Founder and CEO, Scorpion Computer Services
Francis Turner, VP Research and Security, ThreatSTOP
Ari Weil, Vice President of Marketing, Yottaa
Here's what they had to say when asked "What are the obstacles to the success of application security initiatives at a company?":
Application security is not an IT thing, it’s a business thing. We must articulate the value of application security from a business perspective. How do you make application security as important as physical, enterprise, domain and 17 other types of security? Align with universities to provide a realistic learning environment. The curriculum is old and out-dated. What they’re teaching in universities is on YouTube. It’s not actionable. Go back and figure out a curriculum so students think in a different way.
Secure coding. Security practice is an afterthought at universities. organizations don’t have sufficient internal training programs. RiskSENSE offers classes, SANS generalized for web, OLAF, OWASP free training and community groups. Hackers have a greater incentive to find problems before developers.
Failure to have a security mindset. Using off the shelf solutions without InfoSec professionals who know how to use them to identify and address problems. Lack of people with InfoSec knowledge.
Lack of awareness - no visibility into how they're being hacked and deny they are being hacked until we show them. Able to run an engine and show how many times they’ve been hacked and where. Develop the business case for AppSec because data and security is at risk. C-level execs need to understand the importance of application security. Lack of alignment between AppSec and developers. The pressure to release applications and updates often override security concerns.
It’s not a line of business application. Functional heads are ordering solutions to improve productivity without regards for security. Multiple applications are outside the control of the IT department.
People don’t know how everything connects together. The cloud does this, outsourcing does this (e.g., Edward Snowden was a contractor to the NSA). You can’t keep track of who has access to your data or where your data is. Think about and understand security. It only takes one weak link in the chain to get hacked.
The cost of ensuring everything is up to date. The cost of maintaining standards and third-party verification.
Visibility - second to audit and compliance which are just checkboxes. AppSec can address real risk. Too much governance, authority and audit versus thinking about how to prevent. Performance used to be an operations thing, needs to be in AppSec.
AppSec is not a company’s core competency. They have a lack of knowledge. They can be taught or hire security professionals but there’s much more to it and it’s constantly evolving. You cannot close all the holes because apps are becoming more and more complex.
The biggest obstacles we see in the industry is the lack of priority in mobile security. However, we know most of the cases where mobile security is low on the priority list is due to lack of knowledge about the landscape and the solutions that exist. That's where we come in - working with clients to understand their mobile ecosystems and identifying vulnerabilities that can quickly turn into major issues. Other challenges we see in the market deal with the app development process. More often than not, we see key obstacles where clients are dealing with security vulnerabilities that are discovered just prior to public release, or worse, after release and available on app stores. That creates significant overhead and at times requires app release dates to be pushed back for reasons that could have been handled days or months before.
Getting application security on the radar. Awareness and concern within the organization. The organizations have not evolved with technology. People defending their turf doesn’t work any more. Developers as the CEO going mainstream. People best positioned to mitigate the risk are in the most powerful position. A network intrusion tool doesn’t solve your problem - an outmoded organizational structure.
Something going totally wrong. One security bridge with a vulnerability. A peer-to-peer VPN company was sharing bandwidth among customers which was a major bridge for malicious activity. Companies, security providers, must be transparent with regard to their solutions.
Security is an afterthought. An API is developed, it’s about to go live, only then does security come up - OLAF, Openid Connect, API keys - the decision is made at the last minute. Security needs to be addressed earlier. There are concerns that if you bake security into your development policy you may be less agile. We advocate for considering it earlier in the development process and separating it from the business logic. An API gateway enables you to do this, as well as manage policies and governance.
Silos, lack of visibility, developers speak the core language of technology and security and others in the company don’t understand it. People making high-level decisions don’t recognize the implications of the decisions they’re making. Everyone needs to be aware of, and sensitive to, security.
They don’t want to spend the time and the money to fix the problem because it costs them less to take the losses and pay the insurance premiums.
It depends on the industry. C-level executives need to spend real dollars - the problem is not going away. The people who fund security have not bought into its importance.
Unwillingness to admit they have a problem. Need to take security seriously. How to distribute assets across multiple locations for diversity and protection.
What obstacles to application security initiatives are you seeing?
What's the solution from your perspective?