To gather insights on the state of application and data security, we spoke with 19 executives who are involved in application and data security for their clients.
Here’s who we talked to:
Sam Rehman, CTO, Arxan | Brian Hanrahan, Product Manager, Avecto | Philipp Schone, Product Manager IAM & API, Axway | Bill Ledingham, CTO, Black Duck | Amit Ashbel, Marketing, Checkmarx | Jeff Williams, CTO and Co-Founder, Contrast Security | Tzach Kaufman, CTO and Founder, Covertix | Jonathan LaCour, V.P. of Cloud, Dreamhost | Anders Wallgren, CTO, Electric Cloud | Alexander Polykov, CTO and Co-Founder, ERPScan | Dan Dinnar, CEO, HexaTier | Alexey Grubauer, CIO, Jumio | Joan Wrabetz, CTO, Quali | John Rigney, CTO, Point3 Security | Bob Brodie, Partner, SUMOHeavy | Jim Hietala, V.P. Business Development Security, The Open Group | Chris Gervais, V.P. Engineering, Threat Stack | Peter Salamanca, V.P. of Infrastructure, TriCore Solutions | James E. Lee, EVP and CMO, Waratek
Here's what they told us when we asked them, "What’s the future for application and data security from your point of view - where do the greatest opportunities lie?"
- Scalability is a problem. The future has to be automated better. Use instrumentation to improve by orders of magnitude greater than we have with existing technology. In the future all software will be instrumented for security all the time – protected from injection attacks. Instrumentation will be built in. Business logic and security rules will be integrated. It will be a slow battle for a number of years with big blow ups. The opportunity is to get off scanning in a serial fashion. We need to be continuously monitoring. We’re doing this on the government side and it’s working. Any gaps are windows for hackers to intrude. We have not made significant strides improving application security. Application security should be more complete and important than web and network. Four percent of IT security budgets are spent on applications. At least 50% should be. All applications are different.
- Communications provide control between cloud applications – 365 to Dropbox. How to connect all cloud apps in the cloud? Each cloud app will know what it can and cannot do. You will have a security policy across the cloud.
- Mix different approaches. Dynamic analysis, static analysis, access control, real-time application security to protect, provide virtual patching, and automatic correction.
- There has got to be a breaking point. We must stop being reactive of the defensive side and become proactive. Security needs to stop being seen as a cost versus an opportunity or investment. If we do not become more proactive we will continue to lose customer data and customers. We need a cost efficient solution in place whereby SMBs are able to defend themselves with humans backed by technology with the ultimate decision being made by a human.
- Shift to artificial intelligence. Algorithms will be a security pioneer in a machine learning world like security folks have been doing for years. Credit card fraud and make your own engine if billing matches shipping you can make rules, but the rules do not learn. Maxmind learns from our customers and other customers as well for accelerated learning.
- Infrastructure from hardware to storage. Virtualization leads to additional layers of security. Micro segmentation of networks. Automation and flexibility of the virtualization environment can bear down and build quickly, iterating as you go. Stay ahead of the bad actors. Better access to more powerful encryption – for good or evil. Computers are getting faster; this leads to stronger encryption technology. Encryption technology should match computer technology. Companies need to be making real investments in and commitments to security.
- Still figuring out software and operating systems to up their game and build in better protection and breach notification. Cybersecurity becomes a boardroom level issue.
- Applications will take an algorithmic approach to identifying malware and vulnerabilities. Data has done a poor job of allocating access to a single scale versus a wider scale. Item level authorization and anomaly detection by the application user – train models to look for variances.
- There haven’t been enough high profile problems yet. Break encryption between keeping free of bugs and certified. High profile problems before everyone takes seriously. Finance with the Target hack. Oracle and POS. The technology is ahead of the consumer. In a few years we may have certification agencies like underwriters’ laboratories but privately run.
- DARPA is currently running the Cyber Grant Challenge with companies playing a capture the flag game trying to hack each other. This has resulted in several companies automatically installing patches of unsecure pieces. The future is a combination of automation and humans for ID verification. Check for vulnerabilities with automation and then detect and automatically fix vulnerabilities.
- Being more aware of security. Training around secure programming techniques. Having safeguards throughout the SDLC, static and dynamic analysis, monitoring, and remediation after a vulnerability is found.
- Just like crime prevention outside of IT, hackers will always be around. However, by building better defenses we can make it harder for hackers. There will still be breaches – inside threats and outside threats. Organizations need to look at the big picture and create a security strategy for the entire company that addresses the network, web, applications, and data.
- RASP (runtime application security protection) is promising but organizations are hesitant to implement third party security as part of their code. RASP injects into, but also impacts, the code. Anything added to the app makes an impact – that impact needs to be negligible. No one is currently using RASP because of this. IAST is the interactive application security testing but not in production.
- Clearly we believe that RASP by virtualization offers a great opportunity to improve app security and, by default, data will be better protected, too. But the reason it represents the potential for a leap in security is the ability to see how an app is operating and take an action as a result. Over time, more of this kind of insight and the ability to automate the remediation will result in less human intervention and improved security as security professionals learn how to harness the technology.
- How much information can you use? Add context to it. Autocorrelation to find patterns. Further abstractions are coming with Lambda and Functions next generation concerns and APIs for everything. The APIs must be secure.
- Ongoing variables keep changing. Applications scale out on microservices. Containers package and isolate but they also proliferate with more open ports. Security is an afterthought versus designed up front. We must design for security like we design for quality if we want to improve.
- Automated testing is going to make a big difference in this area in the future. If you consider trends like machine learning and others there is probably going to be a time when computers will automatically try to hack each other. At some recent conferences the combination of human and machine are making quite good progress. The human is guiding and being creative, the machine is just helping with detecting the pattern and executing on it very fast. The same actually goes with prevention of attacks. It’s going to be interesting in which direction this is going to evolve. I started to hear people complaining about the fact that in such scenarios smaller companies would fall short because of missing capability to pay for computing power.
- 1) Automation is a big deal. Nature makes us all different so we can’t all be taken out by the same virus. Computer science needs to go in that direction. A predictable world doesn’t work well with security. Greater variance is easier to secure. 2) Strengthening/hardening techniques. Keep raising the bar. 3) Provide more visibility to the good guys at the same time. It’s a constant race – help read faster and block sooner. 4) Create a baseline. Forget patches on the cloud. For application security, you need to do iOS and Android at the same time because they have the same keys with which to identify sensitive information and private information. Classification threat modeling for what hits the most (i.e., authentication, IP address, production and distribution. Baseline cuts at the bottom of policy.
- Appliances are going away and everything will be virtual and cloud based pointing to a web tool. We will rely on security vendors 100% in the cloud.
What do you see as the future fo application and data security?