1) Focus on the fundamentals;
2) identify best practices, frameworks, and architectures;
3) embed security in the SDLC;
4) be data centric; and,
5) test and monitor continuously.
To gather insights on the state of application and data security, we spoke with 19 executives who are involved in application and data security for their clients.
Here’s who we talked to:
Sam Rehman, CTO, Arxan | Brian Hanrahan, Product Manager, Avecto | Philipp Schone, Product Manager IAM & API, Axway | Bill Ledingham, CTO, Black Duck | Amit Ashbel, Marketing,Checkmarx | Jeff Williams, CTO and Co-Founder, Contrast Security | Tzach Kaufman, CTO and Founder, Covertix | Jonathan LaCour, V.P. of Cloud, Dreamhost | Anders Wallgren, CTO, Electric Cloud | Alexander Polykov, CTO and Co-Founder, ERPScan | Dan Dinnar, CEO, HexaTier | Alexey Grubauer, CIO, Jumio | Joan Wrabetz, CTO, Quali | John Rigney, CTO, Point3 Security | Bob Brodie, Partner, SUMOHeavy | Jim Hietala, V.P. Business Development Security, The Open Group| Chris Gervais, V.P. Engineering, Threat Stack | Peter Salamanca, V.P. of Infrastructure, TriCore Solutions | James E. Lee, EVP and CMO, Waratek
Here’s what they told us when we asked them, “What do you see as the most important elements of application and data security?”
- Focus on the fundamentals. Know how attacks take place and implement defense mechanisms. Monitor continuously. You cannot make progress if you are always putting out fires. SQL injection is probably the biggest risk. Pick a strategy. Identify and monitor the security issues at hand and then move on to the next issue. Prioritize issues – don’t worry about shutting the attic window when the front door is open. Organize around sustainable performance.
- Protect the data. Keep hackers out of the app, ensure there are no vulnerabilities via certain paths. Have the appropriate security mechanisms in place: encryption, minimum necessary access, limited presentation of data. There is no longer any network to protect so vulnerabilities are in the app. Need to identify the potential paths and safeguard them. The app is now the line of defense. Still 95% of spending is on network and web security versus application; however, awareness and the budget is moving. We identify the Open Source used by the application and map the known vulnerabilities like Heartbleed in SSL. In the national vulnerabilities database, 50% of the vulnerabilities pertain to Open Source since it’s widely used. Open Source was five to 10% of code five years ago. Today it’s 35 to 40% and 60 to 80% of code bases in new companies. We use package managers like Maven for Java and NuGet for .Net.
- The ability of applications to protect themselves (and the data that is accessible via the app) and rely less on human intervention. Emerging technologies like RASP allow for greater protection with fewer faults than the traditional approaches that have not proven to be effective over time because of the labor intensive actions required to prevent and remediate vulnerabilities.
