We asked 19 executives who are involved with application security what they saw as the most important elements of application security. As you might expect, their answers covered several diverse themes.
Here's who we talked to:
- Sam Rehman, CTO, Arxan Technologies
- John Pavone, CEO, Aspect Security
- Jon Gelsey, CEO, Auth0
- Mark O’Neill, Vice President Innovation, Axway
- Walter Kuketz, CTO, Collaborative Consulting
- Rami Essaid, CEO, Distil Networks
- Alexander Polyakov, CTO, ERPScan
- Deena Coffman, CEO, IDT911 Consulting
- Craig Lurey, CTO and Co-Founder, Keeper Security
- Max Aulakh, CEO, MAFAZO
- Jessica Rusin, Senior Director of Development, MobileDay
- Kevin Swartz, Marketing Manager, NowSecure
- Julien Bellanger, CEO and Co-Founder, Prevoty
- Kevin Sapp, VP of Strategy, Pulse Secure
- Chris Acton, Vice President of Operations, RiskSense Inc.
- Amit Bareket, CEO, SaferVPN
- Walter O’Brien, Founder and CEO, Scorpion Computer Services
- Francis Turner, VP Research and Security, ThreatSTOP
- Ari Weil, Vice President of Marketing, Yottaa
Here's what they had to say when asked "What do you see as the most important elements of application security?":
Two-factor authentication is key. Have users sign in. Don’t implement your own authentication. Use an established platform like OLAF or AWS development tools. Use a platform, PARSE, or something that’s already established to prevent reverse engineering of your security solution. You can develop from scratch if you have experience. If you don't, use a third party tool. You’re dealing with log-in, password, storage, and encryption. Have you used encryption correctly? When you store the password are you comparing the encryptions to authenticate the user? Encryption is not easy. You need to understand salting of hashes. If you’re wrong, your application is insecure. Implement cryptology correctly. Ensure everything is verified and validated. It's easy to make a mistake or miss something.
Developer behavior. You can give them the tools, the processes and the procedures but their behavior needs to be security oriented. Developers need to be aware of security issues and how what they've developed can be attacked. When writing software, you need libraries, you need to be thinking about light lifting. The behavior of developers has not changed in years. There’s an emphasis on building tight code and scalable apps. Security still lags, it needs to be embedded to do things by default. We need to regularly train on sql injection and how people exploit code and apps. Developers need to be able to see how they’re being hacked. Do a source code review to be able to see the holes in Java or C-Sharp. Encourage developers to work with the things they’ve created. Developers are smart and logical, they need to understand why before being taught how and what. Work in a collaborative manner to help them understand how security works and how hackers work.
Testing of applications wasn’t required until the last decade. Even today, security testing is an afterthought. Testing needs to be integral to the development process as part of secure coding and application security testing.
How to secure products for a company. There is different and new technology constantly being developed. It all needs to be integrated and secure. It can be hard to use the old technology with the new - how to security code in C++ won’t help to secure the application if it’s written in another language. We need a generic approach to security. OLAF is for web apps written in all languages for old style systems like ERPs and CRMs. We need a solution for enterprise business applications that is more business process oriented. A developer writes code and needs to write the check authorization so everyone else can use. The same is true for access control. Traditional development of web app access control module on top of development - like API development, build it once and it works. We need different access controls: 1) how to analyze security of the platform itself, the app server with a step-by-step approach to security; 2) how to securely write source code for those apps. The nine most critical areas are outlined on the Enterprise Application Security Project.
We see the world in three areas: 1) network infrastructure like Cisco; 2) end points like software applications and cell phones; and, 3) application security which used to be behind the wall and secure but now it’s in front of the wall exposed inside and outside the firm because of productivity and customer experience demands. Some companies understand the importance of security and the importance of secure data for their success but there aren't many. There are two silos in an company - enterprise and security. Security defends assets while the enterprise builds assets - they do not work together. Application security is independent from development (building assets). A web app firewall lets people in/out based on little security. This doesn’t provide any security for apps. Microsoft secure coding is the unicorn - think about how an app will need to be secured. Checks come from the AppSec team that uses scanners to find potential holes. Developers are supposed to fix and resend to AppSec; however, developers aren’t security experts and don’t have the time or inclination to fix all the holes before the release date. A lot of the holes may be false positives. At most companies the release date is more important than security. Tens of thousands of applications have been developed over the last 10 years without any testing and these apps are exposed to everyone via the cloud. They are vulnerable because there is no protective layer and no AppSec. $80 billion is spent annually on electronic security but only $1 billion is spent on application security. 70% of all attacks happen at the application layer but less than 2% of the security budget is spent on application security. Everything is network based which involves operations people not software people and the two don’t talk. Less than 5% of security people are software trained. AppSec is the most in demand. Need to give the same language and visibility to developers and security experts to see application security. If developers can see something under attack they can see the importance of fixing it or the need to block malicious hacks from exploiting a vulnerability. Give everyone visibility to where we’re headed. People are not aligned and AppSec is nonexistent.
Make sure the right user can access the applications - strong user identification methodology. Make sure the devices the user is using to access are secure as well. This is critical as BYOD becomes the norm.
Know who’s not your customer. For example, a hospital has an x-ray machine that accesses the internet, you don’t want the x-ray technician to be able to visit Facebook with the x-ray machine. A small bank in California doesn't have any customers in China so block all traffic from China.
Since we’re mobile, we’re very concerned with protecting user data - we cannot jeopardize customer data or we lose the trust of our customers. Collect the right data, don’t collect data you don’t need. Encrypt all data when transferring from one location to another.
Security is moving in the direction of integrated edge, WAF, cloud ADC and more traditional on-premises firewall, ADC, in-app security and evolving governance, regulations and certifications for processes and people.
Awareness and training. We make it harder than it really is. Help people understand what to do and how to do it. Risk-based approach - treat it like a business, understand the entire portfolio and identify the highest risks. Provide more guidance to developers and IT teams on how to fix problems. How to deal with speed and scale is always an issue with Fortune 100 companies. The move to agile and DevOps is a challenge for AppSec if the company does not prioritize security over speed to market.
Policy and good code. Tools don’t help shore up web app security. Good coding and good patching. The developer must work with the security team.
A holistic view - SCAN = systems, configuration, applications and network identified Stagefright and Samsung vulnerabilities (900 million and 600 million devices, respectively). Developers need to keep the elements they can impact in mind. Make it difficult enough for someone to hack so they move on to something else that’s easier. We’ve written an open source book on mobile security. Custom encryption is weaker than standard encryption. Provide educational resources. Everyone wants to innovate and security cannot slow down the innovation process. Build in security testing at the beginning. Make it easy to test early and often. Test throughout - get to market faster with a more secure product.
Strong authentication and authorization.
Very holistic, touches many concerns. The most important element is education - everywhere, at universities, online, Google Alerts. People are unsure of what they’re protecting against. Vulnerabilities like phishing, using the same password, and your public network not connected over an SSL. People need to know how to prevent vulnerabilities and what to protect against. VPN is a low level technology that protects IO level technology. People need to know more about the security advantages of VPN.
API based integrations have evolved beyond the web browser. In the mobile world, the end user is one step away where the app can do things on the user’s behalf. There’s a new area of security with permissions to do things on your behalf. In the Buser attack, people saw strange tweets going out under their name, changed their Twitter password and saw their app had been hacked, not their Twitter account. Need a good password and secure apps. This becomes more important as we have more wearable devices, without a user interface, that we give permission to update profiles. This is way beyond internet security where users were in front of their computer. API gateways and their management are more important.
Follow secure code principles. OWASA, Static and dynamic testing for security, not just the use case. Educate everyone who’s licensing to continue testing the app once it’s added to the web. Environmental vulnerabilities are constantly changing.
Three situations: 1) Most source code and applications have less than 5% code coverage for testing and security. There’s 12% compounded human error. When a hacker looks at the system they can use a test that was never performed to find the vulnerability. Email can be hacked with a blank email because no one ever tested a blank email. 2) Lack of consequences - the same bank that has been hacked every six months for the last six years has the same CTO. There's no accountability. We don’t take cyber security seriously. 3) Migration integrity - inability to prove what was developed and moved is what you asked for. What to do: 1) Use ScenGen (scenario generator) an AI engine that thinks of all tests every 90 minutes. Generate all possible tests against the software - 100% test and behavior coverage, if anything changes you’ll know. 2) Serem for migration integrity - every file is Choctaw with a unique key for the file and proves that nothing has changed in the file from when the key was established. 3) Biorhythm - the rhythm with which you type in your username and password. We can absolutely cut down from 100,000 hackers to maybe five that have a level of sophistication and intelligence that will require extra work.
Trending up over the last two years because of the education and awareness of the consumer has been relentless. We need to help the end user be more educated and understand the implications of not keeping their software and applications upgraded. The craftiness of targeted malware and phishing has gone up dramatically. The consumer is scared and doesn’t know what to do. There’s a barrage of security problem everyday and people, companies and end users, are not accepting responsibility. Good hygiene is the theme of National Cybersecurity Month.
Since everyone can now see all the devices, you need application self-protection and white box security.
What do you consider to be the most important elements of application security?
Do you have suggestions that are different from what the 19 executives shared with us here?