We asked 19 executives who are involved with application security where they say the greatest value is being added.
Here's who we talked to:
Sam Rehman, CTO, Arxan Technologies
John Pavone, CEO, Aspect Security
Jon Gelsey, CEO, Auth0
Mark O’Neill, Vice President Innovation, Axway
Walter Kuketz, CTO, Collaborative Consulting
Rami Essaid, CEO, Distil Networks
Alexander Polyakov, CTO, ERPScan
Deena Coffman, CEO, IDT911 Consulting
Craig Lurey, CTO and Co-Founder, Keeper Security
Max Aulakh, CEO, MAFAZO
Jessica Rusin, Senior Director of Development, MobileDay
Kevin Swartz, Marketing Manager, NowSecure
Julien Bellanger, CEO and Co-Founder, Prevoty
Kevin Sapp, VP of Strategy, Pulse Secure
Chris Acton, Vice President of Operations, RiskSense Inc.
Amit Bareket, CEO, SaferVPN
Walter O’Brien, Founder and CEO, Scorpion Computer Services
Francis Turner, VP Research and Security, ThreatSTOP
Ari Weil, Vice President of Marketing, Yottaa
Here's what they had to say when asked "Where is the greatest value being seen with application security?":
Ensuring no knowledge is lost. If an app is hacked, it’s not a big deal if no knowledge is lost. Zero knowledge doesn’t have the ability to decrypt or see customer data. Data can’t be leaked. If used correctly the hacker gets a big blob of nothing. Write like you think you’re going to be hacked. Think about, and be aware of, what you transmit from the application to the server. Don’t transmit any unnecessary information. Encrypt all information. Encrypt and decrypt on the device level to negate the “man in the middle” sniffing data. Being hacked is process control - antivirus, firewall and security. If you’re hacked, what’s your exposure?
Still basic human education. No tools or processes have sufficiently matured. A sophisticated attacker is not using $100,000 tool to attack. They’re being creative. Don’t buy tools, improve education from different angles.
Detection and transfer of knowledge. Coder or InfoSec team needs to translate to the developer and advise them on how to address security issues. Transfer of domain knowledge is critical to securing web applications.
Companies that develop and use software to analyze source code with static and dynamic code analysis. All of the programs looking for vulnerabilities have too many false positives. Not possible to find all the vulnerabilities in the source code.
Preventing malicious hacks. In an ideal world, applications would always be coded securely, pass all vulnerability scans and penetration tests, and never encounter zero-day attacks. There is no such thing as invulnerable code.
The entire security industry makes customers and organizations more secure while also enabling customers to do more. While trying to make things more secure they are also trying to provide a good end user experience - more seamless, connect more seamlessly. It is unacceptable for antivirus software to slow your computer down. Likewise it is unacceptable for the security solution to slow down the performance of an app.
Web and mobile are the same - it’s all web traffic. The app must be secure regardless of where it resides. Default server with encrypted data - email and credit card is all encrypted and kept in separate databases. All a case of process: encrypt, separate databases. It comes down to design. If you develop ad hoc you have to test and come up with patches for the new hole that you just created in your ad hoc development. Mindset is to have a process. Identify who your customer is - who do you want to have access. Weed people out who aren’t your customers you weed out people doing bad things.
Privacy is huge for business. All data is sensitive. Provide peace of mind.
Starting to become more visible. The greatest value is providing real risk mitigation. AppSec bring visibility beyond just the technically focused. Identify the risk posture so it can be understood by IT executives.
Purpose-built solutions are the only ones providing value at this point. They are solving a specific problem. Others are so broad and general they’re not solving the problem.
Core value for application security is not the incurred cost from poor security as much as it’s dealing with the consequences, reputational, costs senior executive jobs, and worse (e.g. Ashley Madison executive committing suicide).
VPN service provides holistic protection. When you go to a public wi-fi with no SSO protection it’s easy to have your data stolen. When you use a VPN your data is protected - it goes back to education. We work with Movements.org, a crowdsourcing human rights platform to enable people in politically unstable countries to download free cybersecurity software that enables users to circumvent censorship and surveillance.
Organizations are making use of cloud services - their own or third party - which is tied to company financials and corporate purchasing. This adds an extra dimension to the importance of app security. The consumption of other cloud services (e.g. storage, SalesForce, WorkDay) means they all have to be secure. AWS has API web keys that have to be secured. AWS has done a good job of having a more sophisticated model around API security and ensuring that their clients have protected keys to access their services. If you let your keys get into the wrong hands, there are very bad consequences. AWS has increased cloud access security awareness and education. Their model includes signatures and timestamps.
How do you calculate the value of not being attacked? Not having to tell your clients, or the media, that you’ve had a data breach. An ounce of prevention is worth a pound of cure.
Peace of mind, especially with ScenGen - tested everything and had hackers try to hack.
For enterprises, virtualization is starting to pay off because they can enforce encryption and security to virtual desktops and folks who BYOD. Consumer is a mixed bag. Financial services companies are coming out with apps to meet consumer demand but that’s leading to more fake banking apps and consumers unable to tell what’s fake and what isn’t. Big companies are getting more nimble, but this is also inviting more “bad actors.”
Mobile platforms since apps on the front end provide a door to the backend. IoT and medical devices, telematics in automotive. Security, innovation and automation should all go hand-in-hand.
Where are you seeing the greatest value with application security?
Does it differ from the areas shared above? How?