Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/24/2016
09:00 AM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

When Securing Your Applications, Seeing Is Believing

While the cloud is amazing, a worrying lack of visibility goes along with it. Keep that in mind as you develop your security approach.

Like many of my peers, I marvel at the amazing ways the cloud has changed our lives and how we work. At the same time, I’ve lost untold hours of sleep worrying about the security risks this transformation creates. As a CISO, I spend a big chunk of every day planning for, evaluating, and responding to different types of threats to our network and applications. But that’s not what keeps me up at night—it’s the areas of exposure and lack of visibility that I know exist and yet have a limited ability to address. Basically, the things that don’t go bump in the night.

As companies move more of their infrastructure, applications, and data to the cloud, and as that move makes it easier to deploy and use new technology within our organizations, we’re creating gaps in visibility that make even the most battle-tested of CISOs sweat. Information security is our stock in trade, but visibility and knowledge are our currency. Knowing all there is to know about what is happening at any given time from the infrastructure to the middle and to the app layers is critical in maintaining a comprehensive security posture.

And so, as we hit the cloud era in full stride, we must face two realities: First, all the flexibility, speed, and scale the cloud brings will cost us no small measure of visibility and knowledge despite cloud providers’ best efforts in logging and control. We are accustomed to having full control of everything happening across our networks. But now, as more of our data resides in the public cloud, we aren’t always able to see who is accessing that data and what they’re doing with it. As we move our infrastructure to Amazon, Microsoft, or Google, do we get comprehensive activity logs that show us how our information is moving throughout their network infrastructure? Not today, we don’t.

Second, as the proliferation of devices and decentralization of the workforce dissolve the traditional perimeter, our greatest area of exposure is no longer the network but the applications themselves. Yet a significant majority of resources still go toward network security rather than securing the app. According to a recent study we partnered on, 18% of IT security budgets go to application security while 39% goes to traditional network perimeter security. And the complexity of this issue grows exponentially as companies adopt and deploy more and more services and apps across public cloud, data center, and virtualized environments. Threading together a single comprehensive picture of what is happening to your critical content and apps has become incredibly challenging.

So what do we do? Of course, security needs to be an integral part of any cloud adoption strategy. Smart CISOs identify areas of exposure and blind spots and implement a strong risk management plan that includes solutions that can help close those gaps. And as many companies introduce DevOps models, it will be more important than ever to embed automated security testing alongside automated functional testing. Today, DevOps teams focus on standard function testing, but we need to create a similarly standard security testing protocol and address security up front in the development process that ensures we don’t sacrifice security in our aims to speed up app deployment.

The cloud will mature and we will see newer, better ways of monitoring, tracking, and logging activities—giving us back the visibility we need to ensure the safety of our data. With that will come the ability to more effectively use machine learning and advanced analytics to automate functions, anticipate threats, and orchestrate responses.

As security professionals, we are too often in the position of explaining to people in our organizations why we can’t do something. But it doesn’t have to stay this way. With a security approach that addresses the threats of today and tomorrow — and a few of the emerging advances mentioned in the previous paragraph — we can have the confidence to shift our mindset, and start saying yes more than no. And maybe, just maybe, get a few more hours of sleep.

Related Content:

 

Mike Convertino is the chief security officer at Arceo.ai, a leading data analytics company using AI to dynamically assess risk for the cyber insurance industry. He is an experienced executive, leading both information security and product development at multiple leading ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
eitanbr
50%
50%
eitanbr,
User Rank: Author
8/25/2016 | 12:04:33 PM
Great article
I like the article a lot, great view on the subejct.

The perimeter shift to the cloud is indeed creating visibility and security issues.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13890
PUBLISHED: 2020-06-06
The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard.
CVE-2020-13889
PUBLISHED: 2020-06-06
showAlert() in the administration panel in Bludit 3.12.0 allows XSS.
CVE-2020-13881
PUBLISHED: 2020-06-06
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
CVE-2020-13883
PUBLISHED: 2020-06-06
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
CVE-2020-13871
PUBLISHED: 2020-06-06
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.