The Most Important Elements of Application and Data Security

To gather insights on the state of application and data security, we spoke with 19 executives who are involved in application and data security for their clients.

Here’s who we talked to:

Sam Rehman, CTO, Arxan | Brian Hanrahan, Product Manager, Avecto | Philipp Schone, Product Manager IAM & API, Axway | Bill Ledingham, CTO, Black Duck | Amit Ashbel, Marketing, Checkmarx | Jeff Williams, CTO and Co-Founder, Contrast Security | Tzach Kaufman, CTO and Founder, Covertix  | Jonathan LaCour, V.P. of Cloud, Dreamhost | Anders Wallgren, CTO, Electric Cloud  | Alexander Polykov, CTO and Co-Founder, ERPScan | Dan Dinnar, CEO, HexaTier | Alexey Grubauer, CIO, Jumio | Joan Wrabetz, CTO, Quali | John Rigney, CTO, Point3 Security | Bob Brodie, Partner, SUMOHeavy | Jim Hietala, V.P. Business Development Security, The Open Group| Chris Gervais, V.P. Engineering, Threat Stack | Peter Salamanca, V.P. of Infrastructure, TriCore Solutions | James E. Lee, EVP and CMO, Waratek

Here's what they told us when we asked them, "What do you see as the most important elements of application and data security?"

• Focus on the fundamentals. Know how attacks take place and implement defense mechanisms. Monitor continuously. You cannot make progress if you are always putting out fires. SQL injection is probably the biggest risk. Pick a strategy. Identify and monitor the security issues at hand and then move on to the next issue. Prioritize issues – don’t worry about shutting the attic window when the front door is open. Organize around sustainable performance.
• Being data-centric is the only solution to protect data and files when sending to the cloud or sharing with others. People are depending on their cloud solutions to secure their data. Salesforce just began allowing customers to encrypt data on their cloud. Clients using Dropbox and Box are using our solution to maintain security of files and email. After getting an email, you are able to control what recipients can and cannot do with it.
• Security configuration, customization, and access control.
• Reduce the time to detection and include security in each phase of software development.
• Security is a new responsibility. PCI compliance for ecommerce. Hardware firewalls for APIs. Bigger clients have VPNs for their developers. Physically lock things down. Follow the OWASP top 10. Use PCI scanner search for a lot of this. When in the cloud, AWS is PCI compliant. Strongly oppose hybrid cloud solutions because it’s a pain to manage security. If clients have both, make sure VPNs are solid.
• Vigilance at all layers. Infrastructure layer is secure with all data on the disk encrypted. The hypervisor is currently up to date on all software. Do not migrate to the host. Watch for CVEs and patch with a network the customer is able to take advantage of virtual networks. Every tenant is isolated from other tenants. VX land – isolation, custom creation, and additional private networks. Secure data, network, infrastructure, virtual networks, and secure groups. Then get to customers and educate them on tips and tricks.  
• Forums in different areas of technology. Enterprise architecture. Security and risk. O-ESA (open enterprise security architect) one set of principles, design for malice, threat model using Microsoft Stride thinking about spoofing, tampering, and appropriate counter measures based on solid design principles.
• Rigorously follow best practices and use frameworks for auditing and logging. 99% of application developers would benefit from application frameworks. Always presume an app will run under minimum security and will be attacked. Work inside a framework that has security built in. I heard Mudge (a.k.a. Peiter Zatko) at DefCon talking about his Cyber Independent Testing Lab (CITL) where they are testing to learn about the applications that exhibit the best security practices. There is a huge variance in best practices from one manufacturer and operating system to another. CITL is working on mapping vulnerabilities and exploits.
• Shift security as far left as possible in the SDLC. This doesn’t happen by accident. You must consider the architecture. Automate, test rigorously as part of the pipeline.
• Need secure SDLC with trained developers, QA’s, and operations guiding the process from the very beginning. Think about new features or products, not just edits when everything is done. Secure data transmission with SSL and TDL need to fix vulnerabilities.
• Protect the data. Keep hackers out of the app, ensure there are no vulnerabilities via certain paths. Have the appropriate security mechanisms in place: encryption, minimum necessary access, limited presentation of data. There is no longer any network to protect so vulnerabilities are in the app. Need to identify the potential paths and safeguard them. The app is now the line of defense. Still 95% of spending is on network and web security versus application; however, awareness and the budget is moving. We identify the Open Source used by the application and map the known vulnerabilities like Heartbleed in SSL. In the national vulnerabilities database, 50% of the vulnerabilities pertain to Open Source since it’s widely used. Open Source was five to 10% of code five years ago. Today it’s 35 to 40% and 60 to 80% of code bases in new companies. We use package managers like Maven for Java and NuGet for .Net.
• Four pillars of security: 1) database security to prevent SQL injection; 2) scan software for sensitive data discovery; 3) active monitoring of the database; and, 4) dynamic data masking. SMEs are moving to the cloud with three types of databases: 1) production database; 2) the developer environment; and, 3) the production environment. Security with compliance. Hit the bullet points of compliance: frontend, backend, and analytics. Most breaches come at the frontend or back end and the damage is done. The database is the last line of defense and always a target for attackers. As such, it's best to have a dedicated security layer for the database. Lastly, have simple rules to define, maintain, and control information while in the database.
• Wide range of solutions. Source code analysis. Static testing through the SDLC to dynamic and penetration testing at the end. Interactive AppSec testing. Our view is getting developers to be part of the effort rather than develop and then conduct security testing.
• The ability of applications to protect themselves (and the data that is accessible via the app) and rely less on human intervention.  Emerging technologies like RASP allow for greater protection with fewer faults than the traditional approaches that have not proven to be effective over time because of the labor intensive actions required to prevent and remediate vulnerabilities.
• Depends on the entry point. Were you born in the cloud or are you migrating to the cloud? If you are born in the cloud, you’re able to take advantage of architectural patterns. If you are moving to the cloud you need to understand the differences between on premises and cloud and the lack of a physical layer of infrastructure.
• 1) Development testing and staging, not production. Data security with a production-like configuration with realistic production data and a copy of the data that cannot be corrupted and anonymized. 2) Customer using sandboxing to configure for security testing (i.e. financial services). Building cyber ranges that include applications, infrastructure, and enable the training of IT professionals to catch hacks. You must sandbox apps for testing before deploying to meet privacy and regulatory requirements along with an audit trail.
• The most important elements are ensuring integrity and non-repudiation as well as establishing visibility across the entire process. Visibility is especially interesting because you cannot protect against something that you don’t see.
• 1) People over invest in data security with transactions getting the dollars. More data is created and disseminated every day. There needs to be a greater focus on application logic. Maintain the integrity at run time. Provide a holistic end-to-end solution from backend to run-time. Think about how to protect the logic and the API. We had one customer where hackers broke their application in half and put one half in the cloud for all other hackers to access. You must focus on providing an Automic, tamper-proof unit. 2) You need secure communication between the front end and the back end binding the client-side and the service-side in a meaningful and safe way – inband security. 3) Understand behavior – observe, monitor, and understand to gather insights into what’s happening.
• Ensure there’s no unauthorized access or loss of data. Put up firewalls, have a sound operating policy, and employee training. You need people with security knowledge.

What do you consider to be the most important elements of application and data security?