We asked 19 executives who are involved in application security what they consider to be the greatest opportunities for application security - what's the future look like?.
Here's who we talked to:
Sam Rehman, CTO, Arxan Technologies
John Pavone, CEO, Aspect Security
Jon Gelsey, CEO, Auth0
Mark O’Neill, Vice President Innovation, Axway
Walter Kuketz, CTO, Collaborative Consulting
Rami Essaid, CEO, Distil Networks
Alexander Polyakov, CTO, ERPScan
Deena Coffman, CEO, IDT911 Consulting
Craig Lurey, CTO and Co-Founder, Keeper Security
Max Aulakh, CEO, MAFAZO
Jessica Rusin, Senior Director of Development, MobileDay
Kevin Swartz, Marketing Manager, NowSecure
Julien Bellanger, CEO and Co-Founder, Prevoty
Kevin Sapp, VP of Strategy, Pulse Secure
Chris Acton, Vice President of Operations, RiskSense Inc.
Amit Bareket, CEO, SaferVPN
Walter O’Brien, Founder and CEO, Scorpion Computer Services
Francis Turner, VP Research and Security, ThreatSTOP
Ari Weil, Vice President of Marketing, Yottaa
Here's what they had to say when asked "What's the future for application security from your point of view - whare do the greatest opportunties lie?":
Everything’s in the cloud. Everyone is able to use cloud services to meet all their encryption needs. Just plug into an app.
Get students thinking about security - Especially core and computer engineering.
Baking security into development. Test at every step of development. A secure coding software development life cycle.
AppSec companies provide software as a service whereby they identify vulnerabilities, and have the right people internally that can be trained for the business application since each one is different.
Ability to embed AppSec in applications and communicate with an intelligent engine with a central visibility and protection function where libraries and plugins communicate back to the database. No more firewalls or SDLC to protect apps.
Near-term, in two to five years, opportunity to recognize the need to secure apps directly. Identify users, devices and autonomous things. Identification is a big part of the entire mix. Apple and Google are doing a better job of building fundamental security elements into their platforms. Making security small versus a monolithic security solution. The spectrum of security needs will continue to grow.
Traceability, the ability to know where things are. Documentation, processes, verify documentation, validate documentation. There’s no silver bullet. Get alerts when something changes.
It will be in the mobile space. Fingerprints and iris scans. Applications are constantly evolving with payments.
Moving forward with the IoT and other advances in wearable tech, security will increasingly push out beyond the edge and onto the user him/herself. Also, big data analytics including predictive technology will be employed to proactively protect endpoints and assets before an attack is underway.
Ability to make AppSec part of the development lifecycle. Turn to people and processes for scale. Developers are the keys to success. Improve the education programs around security in universities. Eliminate audit-driven security. Make AppSec integral to development. Tools are being misused - make them more actionable to build a better application. Tools are not a panacea, they provide a false sense of security.
Easy to configure, learn and manage tools that will update themselves on the newest threats. Dynamic code protection. Allow app to defend itself in a dynamic way. Use machine learning to predict hacks and attacks. Allow the system to self-learn.
Automation. Making security accessible for the entire app development lifecycle. The earlier and easier you’re able to integrate security into development the more secure the app will be. Bring awareness to the importance of secure app development.
Cloud-based application security by design. More services that developers use to assemble applications with security built in along the way.
Providing holistic solutions to the platform. Removing the barrier to education. Security is constantly changing with regards to threats and vulnerabilities. In the future, a holistic solution will identify vulnerabilities automatically. There’s more focus on security for financial institutions than for consumer security.
Users will have many devices using apps on their behalf that will always be on. These have to be managed. All devices accessing services on your behalf on a permission-based model. It’s important that security can scale and the user can have a clear view of what’s going on with all of their devices and be able to restrict access on demand. We will see more breaches because organizations are not taking care of API keys.
Education and awareness. Get the development team to the table and have security considered along with functionality rather than as an afterthought. Allow the resources and time for security to be built in along the way.
Put customers and security first - ahead of the shareholders. If a bank ever differentiates themselves as being the most secure bank, they will earn a lot of business. There are opportunities for brands to adopt a more secure solution and make that part of their marketing. There’s an opportunity for more cloud migration. After 13 years of operating AWS, Amazon has gotten pretty good at security. Companies need to get out of the business of running their own data centers and move to secure clouds. If one cloud company is holding the data centers of 100 Fortune 1000 companies, they can afford to invest in the high level of security we’re talking about. Right now we’re putting $1 trillion under the mattress every year and it’s getting stolen. Procurement is the enemy of security because it takes three or four years to buy technology and install it - by then it’s out of date.
It’s still around adoption and education, getting people to realize the importance of prevention. Encrypting data. Least required access. Policies, like HIPAA, turn into code quickly, ideally instantaneously.
Apps that are self-checking, self-adjusting and always changing and morphing.
What's the future of application security from your perspective?
How far out are we talking?