Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/24/2016
09:00 AM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

When Securing Your Applications, Seeing Is Believing

While the cloud is amazing, a worrying lack of visibility goes along with it. Keep that in mind as you develop your security approach.

Like many of my peers, I marvel at the amazing ways the cloud has changed our lives and how we work. At the same time, I’ve lost untold hours of sleep worrying about the security risks this transformation creates. As a CISO, I spend a big chunk of every day planning for, evaluating, and responding to different types of threats to our network and applications. But that’s not what keeps me up at night—it’s the areas of exposure and lack of visibility that I know exist and yet have a limited ability to address. Basically, the things that don’t go bump in the night.

As companies move more of their infrastructure, applications, and data to the cloud, and as that move makes it easier to deploy and use new technology within our organizations, we’re creating gaps in visibility that make even the most battle-tested of CISOs sweat. Information security is our stock in trade, but visibility and knowledge are our currency. Knowing all there is to know about what is happening at any given time from the infrastructure to the middle and to the app layers is critical in maintaining a comprehensive security posture.

And so, as we hit the cloud era in full stride, we must face two realities: First, all the flexibility, speed, and scale the cloud brings will cost us no small measure of visibility and knowledge despite cloud providers’ best efforts in logging and control. We are accustomed to having full control of everything happening across our networks. But now, as more of our data resides in the public cloud, we aren’t always able to see who is accessing that data and what they’re doing with it. As we move our infrastructure to Amazon, Microsoft, or Google, do we get comprehensive activity logs that show us how our information is moving throughout their network infrastructure? Not today, we don’t.

Second, as the proliferation of devices and decentralization of the workforce dissolve the traditional perimeter, our greatest area of exposure is no longer the network but the applications themselves. Yet a significant majority of resources still go toward network security rather than securing the app. According to a recent study we partnered on, 18% of IT security budgets go to application security while 39% goes to traditional network perimeter security. And the complexity of this issue grows exponentially as companies adopt and deploy more and more services and apps across public cloud, data center, and virtualized environments. Threading together a single comprehensive picture of what is happening to your critical content and apps has become incredibly challenging.

So what do we do? Of course, security needs to be an integral part of any cloud adoption strategy. Smart CISOs identify areas of exposure and blind spots and implement a strong risk management plan that includes solutions that can help close those gaps. And as many companies introduce DevOps models, it will be more important than ever to embed automated security testing alongside automated functional testing. Today, DevOps teams focus on standard function testing, but we need to create a similarly standard security testing protocol and address security up front in the development process that ensures we don’t sacrifice security in our aims to speed up app deployment.

The cloud will mature and we will see newer, better ways of monitoring, tracking, and logging activities—giving us back the visibility we need to ensure the safety of our data. With that will come the ability to more effectively use machine learning and advanced analytics to automate functions, anticipate threats, and orchestrate responses.

As security professionals, we are too often in the position of explaining to people in our organizations why we can’t do something. But it doesn’t have to stay this way. With a security approach that addresses the threats of today and tomorrow — and a few of the emerging advances mentioned in the previous paragraph — we can have the confidence to shift our mindset, and start saying yes more than no. And maybe, just maybe, get a few more hours of sleep.

Related Content:

 

Mike Convertino is the chief security officer at Arceo.ai, a leading data analytics company using AI to dynamically assess risk for the cyber insurance industry. He is an experienced executive, leading both information security and product development at multiple leading ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
eitanbr
50%
50%
eitanbr,
User Rank: Author
8/25/2016 | 12:04:33 PM
Great article
I like the article a lot, great view on the subejct.

The perimeter shift to the cloud is indeed creating visibility and security issues.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21652
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2021-21653
PUBLISHED: 2021-05-11
Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint, allowing with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2021-21654
PUBLISHED: 2021-05-11
Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password.
CVE-2021-21655
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified Perforce server using attacker-specified username and password.
CVE-2021-21656
PUBLISHED: 2021-05-11
Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.