What Are the Most Important Elements of Security?
Experts and executives from across it told us that fundamentals, a security-first mindset, protecting data, visibility, APIs, and automation are the keys.
Join the DZone community and get the full member experience.Join For Free
We asked this question of 25 IT executives involved in application, environmental, and data security. Here's what we learned:
Worry about the fundamentals. Ensure only desired parties have access to secure, encrypted data where the integrity and structure are maintained.
Ongoing monitoring to ensure everyone is following best practices and continuous integration process from early stage design, implementation, and deployment.
Think security by design. Today firewalls do not auto-patch and are exploitable at the root level. Network gear is vulnerable. You need to be performing security audits of source code.
Software bugs become critical vulnerabilities. MITER has the top 25 code violations. Be aware of them and ensure your code doesn't have them.
Almost all hacks involve compromised credentials of some sort. Make sure applications are written with security in mind first. Enact security as a tenant in the applications being built. We still believe in a security program where all endpoints are protected and you have rapid surveillance and response. Most companies have at least a dozen security solutions on board. Layering in security – in network, intrusion detection, security event management, antivirus, more holistic security tools, and end-point detection and response (EDR). It’s not unusual for our clients to have 10,000 security events per day. There’s an order of magnitude of events based on the industry. Government, infrastructure, and financial services may have 100,000 per day while retail and gaming may have 10,000. It’s all crime and the cost of conducting crime has come way down while the potential returns have increased as the amount of data has increased.
Areas which are not controlled, like shared environments on Android and iOS – the flashlight app, fore example, is watching along with the emoji keyboard downloaded from China. Assume you are owned or powned. Launch an encrypted keyboard. Don’t trust then verify. There are 50 billion polymorphic malwares.
Start to code securely. There are too many insecure coding practices. We will have a significant reduction in attack vectors if we follow secure coding best practices. Trendnet was part of a class-action lawsuit for hackable cameras. They now must submit all code for security review for the next 20 years. This may give them an advantage over other remote camera manufacturers. You’ll know their cameras are more secure than their competitors.
Employ common security controls on a consistent basis. Practice good hygiene. Implementing and acting in a secure manner. HTTP apps are like network apps but are written in their own way without good hygiene practices. Users are inherently flawed. Think about who you authenticate, empower, and provide access to.
Risk management. There are so many different issues and threats that companies must prioritize what’s most important to secure based on company or industry.
We see common patterns across 1000+ enterprise customers. IT leaders must increase the clock speed of their business with a limited number of resources, and with the demands of the business for technology solutions growing ever more quickly, have to figure out how to make IT scale to match. Security professionals need to prevent against bad actors gaining control of systems, but are hampered by poor visibility, shadow IT, and the reputation as the blocker to innovation. IT teams and security teams must partner to develop security and agility together, but often their goals seem misaligned. Any IT and security framework, therefore, needs to have elements of agility (enabled by self-service and reuse) as well as control (enabled by visibility and governance).
Applications, whether web or mobile, are the main business driver for many or maybe even most organizations in the world today. These applications allow users to interact with the organization’s backend servers and data. Making sure that these applications are developed without exposing vulnerabilities that can expose users to data they aren’t supposed to see is a critical aspect of securing data. Application security is based on the idea of reducing the risk of a breach even before the application has gone to market. The earlier the issues are addressed the easier it is to solve them and the more profitable it is in the long term.
Where's My Data?
Companies must know where their information is. Regardless of how much they spend on applications and infrastructure if they don’t know where their data is, they’re wasting money.
- Identify the jewels that are most valuable to the company that's managing many different assets in many places. Monitor these assets inside and outside the network.
- Be aware of the storage, transmission, and leakage of data. Apps which have functions that take PII and query third parties are leaking PII to the third party. As a developer, be careful where you are leaking customer data. The Cloudflare bug was a function of leaking customer requests to the internet. Storage of PII encryption, planning, and testing data.
- We’re going through a trend where people want to expose data and break down silos. This opens data to the rest of the world. You need to do this through APIs – a key ingredient in data transfer.
- There are gaping holes with companies failing to address security issues around the cloud and APIs accessing the cloud. Email is the number one attack vector for breaches and they have poor audit and control beyond the network. We focus on securing cloud applications through APIs. APIs are compromised because public developer APIs are not secured. Companies that use SaaS-based applications need to ensure APIs are secure.
- Kevin Fealey, Principal Consultant and Practice Lead Automation and Integration Services, Aspect Security
- Carolyn Crandall, CMO and Joseph Salazar, Technical Marketing Engineer, Attivo
- Amit Ashbel, Director of Product Marketing and Cyber Security Evangelist, Checkmarx
- Ash Wilson, Strategic Engineering Specialist, CloudPassage
- Paul Kraus, CEO, Eastwind Networks
- Anders Wallgren, CTO, Electric Cloud
- Alexander Polyakov, CTO, ERPScan
- Patrick Dennis, President and CEO, Guidance Software, Inc.
- Craig Lurey, CTO, Keeper Security
- Boaz Shunami, CEO, Komodo Consulting
- Eric Tranle, Global CMO, Darrin Bogue, Senior Solutions Engineer, LogTrust
- David Waugh, V.P. Sales, ManagedMethods
- Mat Keep, Director of Product Marketing and Analysis, MongoDB
- Aaron Landgraf, Senior Product Marketing Manager and Kevin Paige, Head of Security, MuleSoft
- Fred Wilmot, CEO, PacketSled
- Gary Millefsky, CEO, Snoopwall
- Wei Lien Dang, V.P. of Product, StackRox
- Cody Cornell, Co-founder and CEO, Swimlane
- Terry Dunlap, Founder and CEO, Tactical Network Solutions
- Chris Wysopal, Co-Founder and CTO, Veracode
- Yitzhak Vager, V.P. Cyber Product Management and Business Development, Verint
- Prabath Siriwardena, Director of Security Architecture, WSO2
Opinions expressed by DZone contributors are their own.