Application Security
8/24/2016
09:00 AM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

When Securing Your Applications, Seeing Is Believing

While the cloud is amazing, a worrying lack of visibility goes along with it. Keep that in mind as you develop your security approach.

Like many of my peers, I marvel at the amazing ways the cloud has changed our lives and how we work. At the same time, I’ve lost untold hours of sleep worrying about the security risks this transformation creates. As a CISO, I spend a big chunk of every day planning for, evaluating, and responding to different types of threats to our network and applications. But that’s not what keeps me up at night—it’s the areas of exposure and lack of visibility that I know exist and yet have a limited ability to address. Basically, the things that don’t go bump in the night.

As companies move more of their infrastructure, applications, and data to the cloud, and as that move makes it easier to deploy and use new technology within our organizations, we’re creating gaps in visibility that make even the most battle-tested of CISOs sweat. Information security is our stock in trade, but visibility and knowledge are our currency. Knowing all there is to know about what is happening at any given time from the infrastructure to the middle and to the app layers is critical in maintaining a comprehensive security posture.

And so, as we hit the cloud era in full stride, we must face two realities: First, all the flexibility, speed, and scale the cloud brings will cost us no small measure of visibility and knowledge despite cloud providers’ best efforts in logging and control. We are accustomed to having full control of everything happening across our networks. But now, as more of our data resides in the public cloud, we aren’t always able to see who is accessing that data and what they’re doing with it. As we move our infrastructure to Amazon, Microsoft, or Google, do we get comprehensive activity logs that show us how our information is moving throughout their network infrastructure? Not today, we don’t.

Second, as the proliferation of devices and decentralization of the workforce dissolve the traditional perimeter, our greatest area of exposure is no longer the network but the applications themselves. Yet a significant majority of resources still go toward network security rather than securing the app. According to a recent study we partnered on, 18% of IT security budgets go to application security while 39% goes to traditional network perimeter security. And the complexity of this issue grows exponentially as companies adopt and deploy more and more services and apps across public cloud, data center, and virtualized environments. Threading together a single comprehensive picture of what is happening to your critical content and apps has become incredibly challenging.

So what do we do? Of course, security needs to be an integral part of any cloud adoption strategy. Smart CISOs identify areas of exposure and blind spots and implement a strong risk management plan that includes solutions that can help close those gaps. And as many companies introduce DevOps models, it will be more important than ever to embed automated security testing alongside automated functional testing. Today, DevOps teams focus on standard function testing, but we need to create a similarly standard security testing protocol and address security up front in the development process that ensures we don’t sacrifice security in our aims to speed up app deployment.

The cloud will mature and we will see newer, better ways of monitoring, tracking, and logging activities—giving us back the visibility we need to ensure the safety of our data. With that will come the ability to more effectively use machine learning and advanced analytics to automate functions, anticipate threats, and orchestrate responses.

As security professionals, we are too often in the position of explaining to people in our organizations why we can’t do something. But it doesn’t have to stay this way. With a security approach that addresses the threats of today and tomorrow — and a few of the emerging advances mentioned in the previous paragraph — we can have the confidence to shift our mindset, and start saying yes more than no. And maybe, just maybe, get a few more hours of sleep.

Related Content:

 

Mike Convertino has nearly 30 years of experience in providing enterprise-level information security, cloud-grade information systems solutions, and advanced cyber capability development. His professional experience spans security leadership and product development at a wide ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
eitanbr
50%
50%
eitanbr,
User Rank: Author
8/25/2016 | 12:04:33 PM
Great article
I like the article a lot, great view on the subejct.

The perimeter shift to the cloud is indeed creating visibility and security issues.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.