We asked 19 executives who are involved with application security who they saw as the most important players in application security. It was interesting to see how some respondents focused on technology, while others focused on people.
Here's who we talked to:
Sam Rehman, CTO, Arxan Technologies
John Pavone, CEO, Aspect Security
Jon Gelsey, CEO, Auth0
Mark O’Neill, Vice President Innovation, Axway
Walter Kuketz, CTO, Collaborative Consulting
Rami Essaid, CEO, Distil Networks
Alexander Polyakov, CTO, ERPScan
Deena Coffman, CEO, IDT911 Consulting
Craig Lurey, CTO and Co-Founder, Keeper Security
Max Aulakh, CEO, MAFAZO
Jessica Rusin, Senior Director of Development, MobileDay
Kevin Swartz, Marketing Manager, NowSecure
Julien Bellanger, CEO and Co-Founder, Prevoty
Kevin Sapp, VP of Strategy, Pulse Secure
Chris Acton, Vice President of Operations, RiskSense Inc.
Amit Bareket, CEO, SaferVPN
Walter O’Brien, Founder and CEO, Scorpion Computer Services
Francis Turner, VP Research and Security, ThreatSTOP
Ari Weil, Vice President of Marketing, Yottaa
Here's what they had to say when asked "Who do you see as the most important players in application security?":
AWS, their products are tested against many developers and they're way ahead of the curve. They use APIs and low level products, host their applications on their services, configure network level security firewalls, enable you to create databases and secure storage of encrypted data, and manage access to the system. This is far superior than buying a server from a random internet provider and then using products that provide a low level of authenticity.
The team lead, this could be an engineer or a project manager executing a project with anywhere from four to 100 people. It’s their job to protect, lead, encourage and continue their training and development. Show their team how to do things. Bring in other resources as appropriate. Security must be ingrained in the behavior of the team lead and the developers. Application security must be part of the development and part of the schedule. There needs to be more education in how to manage secure software in the development lifecycle. This can be done in agile or waterfall. Most use agile - iterative planning. We need to think about how to implement iterative security at the right stages of development.
Developers - they represent the domain knowledge of development and any implementation of security is in their hands. You need information security (InfoSec) teams or a third party that tests and provides insights on findings. The security process is very fragmented - less so in financial services. The problems are with mid-market companies in e-commerce using legacy apps that haven’t been properly tested or are not secure. We are short 150,000 InfoSec professionals. We test apps weekly that are more than five years old and have never been tested. Any business large enough to procure our services will benefit from them. They have holes in their enterprise, they just don’t know about them. We do root cause analysis on problems that consistently lead back to web application flaws that either were not tested, not sufficiently tested or were never secure.
Developers - they put backdoors in the software and application, this causes vulnerabilities that the developers know how to exploit.
Traditional identity management vendors like CA, Oracle and IBM and newer cloud vendors like Okta. On the device side, network access control around devices as well as only allowing healthy devices connect to the network.
It depends on how you define "important players." Application security, levels of DNS protection, web apps, firewalls, Arbor Networks protects against people trying to abuse your system. Security should be checking what’s running. This is a tremendously broad topic. You may have a layered approach for different applications - email versus an app which is just a web service with basic web protections but potentially whatever you run on the server itself. Mitigate what happens if someone gets inside. For the web it’s generic, for apps there are many different needs. Example: E-commerce handling customer information ensure PCI compliance, ensure verification, encryption - if you’re not handling payments you don’t need any of this.
We’re a small company, 20 people, so everyone is concerned about, and able to answer questions about security. Servers, apps, and data are all protected. We use Apple key chain. We're now working on Android. We hired a third party firm to scan the codebase to ensure there are no problems. We keep frameworks and code up to date. We stay updated on security updates and breaches on Linux. Our tech environment mirrors our production environment.
Someone who’s good at security and PIN testing. Developer focused individual with a knowledge of security. People who can relate to developers do much better. Someone who’s a leader - been there, done that - will have more credibility. An influential player on the IT side of the house who’s well respected. Still need security subject matter expertise and the operations side for incidence response. AppSec is the glue that holds it all together. Tripod of security, IT and business acumen.
Web app firewalls - F5 and Imperva. We're not making sufficient strides. We keep using the same technology to iterate without addressing the problem. They’re more focused on PCI compliance than security. They have not evolved. Security has become commoditized with Akamai and Palo Alto getting into the space because of CVNs, firewalls, load balancers. No one knows what works best.
What we’re doing is key moving forward making it easier and more efficient for developers. Automation that doesn’t slow innovation. Making it possible for the individual to build secure mobile applications.
Developers of the applications. The developer makes all of the implementation decisions that affect security. There are a lot of options for components to build on top of. Developers need to be aware of the components that are the simplest and easiest to implement with strong security. Don't try to build from scratch.
There are so many providers it depends on the area you are talking about. Samsung’s KNOX was supposed to provide protection in a closed environment but didn’t. Barracuda, McAfee, APG, no one specific. Different players have different specialties.
It used to be web app security, web browser security, firewalls linked with load balancing. Now it’s expected that applications will have those features. In the last couple of years, we’ve moved on with mobile and IoT calling other APIs. Buser breach in 2013 was the first major breach related to an API. IRS and Snapchat breaches occurred this year. Breaches created a need by getting people to realize that web security and app security are not the same thing.
Developers lay the foundation, find and fix the vulnerabilities.
Really good tools find problems and then people need to fix them. Others have tools not to find problems but will give you a certificate of security for $10,000. All companies want is plausible deniability. The big four security firms got to where they are because they are politically suitable. People with real security software are too expensive for a company to address all the problems they uncover. They expose problems and eliminate plausible deniability.
Former FBI agent, Mark Goodman, got into cybersecurity and wrote a very good book Future Crimes. Infrastructure providers like Cisco and AWS are building platforms with inherent security features like multi-factor authentication. AWS is making big strides building security into its cloud offerings. The Dell acquisition of EMC will also increase the emphasis on security since EMC owns RSA.
Our company, and a lot of others are doing good work on the cloud side. IBM is doing a great job on the service side. Platform providers Apple and Android are improving their feature sets. Everyone must take a more holistic approach. Look at the entire pipeline as one large application. A lot of attacks are on the hypervisor. You only have to steal the key one time to get access to everything.
Who do you consider to be the most important players in application security?
Anyone different than the folks above shared?