Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/24/2016
09:00 AM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

When Securing Your Applications, Seeing Is Believing

While the cloud is amazing, a worrying lack of visibility goes along with it. Keep that in mind as you develop your security approach.

Like many of my peers, I marvel at the amazing ways the cloud has changed our lives and how we work. At the same time, I’ve lost untold hours of sleep worrying about the security risks this transformation creates. As a CISO, I spend a big chunk of every day planning for, evaluating, and responding to different types of threats to our network and applications. But that’s not what keeps me up at night—it’s the areas of exposure and lack of visibility that I know exist and yet have a limited ability to address. Basically, the things that don’t go bump in the night.

As companies move more of their infrastructure, applications, and data to the cloud, and as that move makes it easier to deploy and use new technology within our organizations, we’re creating gaps in visibility that make even the most battle-tested of CISOs sweat. Information security is our stock in trade, but visibility and knowledge are our currency. Knowing all there is to know about what is happening at any given time from the infrastructure to the middle and to the app layers is critical in maintaining a comprehensive security posture.

And so, as we hit the cloud era in full stride, we must face two realities: First, all the flexibility, speed, and scale the cloud brings will cost us no small measure of visibility and knowledge despite cloud providers’ best efforts in logging and control. We are accustomed to having full control of everything happening across our networks. But now, as more of our data resides in the public cloud, we aren’t always able to see who is accessing that data and what they’re doing with it. As we move our infrastructure to Amazon, Microsoft, or Google, do we get comprehensive activity logs that show us how our information is moving throughout their network infrastructure? Not today, we don’t.

Second, as the proliferation of devices and decentralization of the workforce dissolve the traditional perimeter, our greatest area of exposure is no longer the network but the applications themselves. Yet a significant majority of resources still go toward network security rather than securing the app. According to a recent study we partnered on, 18% of IT security budgets go to application security while 39% goes to traditional network perimeter security. And the complexity of this issue grows exponentially as companies adopt and deploy more and more services and apps across public cloud, data center, and virtualized environments. Threading together a single comprehensive picture of what is happening to your critical content and apps has become incredibly challenging.

So what do we do? Of course, security needs to be an integral part of any cloud adoption strategy. Smart CISOs identify areas of exposure and blind spots and implement a strong risk management plan that includes solutions that can help close those gaps. And as many companies introduce DevOps models, it will be more important than ever to embed automated security testing alongside automated functional testing. Today, DevOps teams focus on standard function testing, but we need to create a similarly standard security testing protocol and address security up front in the development process that ensures we don’t sacrifice security in our aims to speed up app deployment.

The cloud will mature and we will see newer, better ways of monitoring, tracking, and logging activities—giving us back the visibility we need to ensure the safety of our data. With that will come the ability to more effectively use machine learning and advanced analytics to automate functions, anticipate threats, and orchestrate responses.

As security professionals, we are too often in the position of explaining to people in our organizations why we can’t do something. But it doesn’t have to stay this way. With a security approach that addresses the threats of today and tomorrow — and a few of the emerging advances mentioned in the previous paragraph — we can have the confidence to shift our mindset, and start saying yes more than no. And maybe, just maybe, get a few more hours of sleep.

Related Content:

 

Mike Convertino has nearly 30 years of experience in providing enterprise-level information security, cloud-grade information systems solutions, and advanced cyber capability development. His professional experience spans security leadership and product development at a wide ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
eitanbr
50%
50%
eitanbr,
User Rank: Author
8/25/2016 | 12:04:33 PM
Great article
I like the article a lot, great view on the subejct.

The perimeter shift to the cloud is indeed creating visibility and security issues.
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20477
PUBLISHED: 2020-02-19
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
CVE-2019-20478
PUBLISHED: 2020-02-19
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.
CVE-2011-2054
PUBLISHED: 2020-02-19
A vulnerability in the Cisco ASA that could allow a remote attacker to successfully authenticate using the Cisco AnyConnect VPN client if the Secondary Authentication type is LDAP and the password is left blank, providing the primary credentials are correct. The vulnerabilities is due to improper in...
CVE-2015-0749
PUBLISHED: 2020-02-19
A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker ...
CVE-2015-9543
PUBLISHED: 2020-02-19
An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is rel...