DZone recently interviewed 19 application and data security executives to gather insights and trends and business practices. Jeff Williasms, Contrast Security CTO and Co-Founder was interviewed to provide his observations.
Take aways included:
1) Focus on the fundamentals;
2) Identify best practices, frameworks, and architectures;
3) Embed security in the SDLC;
4) Be data centric; and,
5) Test and monitor continuously.
Here's a list of folks interviewed:
Sam Rehman, CTO, Arxan | Brian Hanrahan, Product Manager, Avecto | Philipp Schone, Product Manager IAM & API, Axway | Bill Ledingham, CTO, Black Duck | Amit Ashbel, Marketing,Checkmarx | Jeff Williams, CTO and Co-Founder, Contrast Security | Tzach Kaufman, CTO and Founder, Covertix | Jonathan LaCour, V.P. of Cloud, Dreamhost | Anders Wallgren, CTO, Electric Cloud | Alexander Polykov, CTO and Co-Founder, ERPScan | Dan Dinnar, CEO, HexaTier | Alexey Grubauer, CIO, Jumio | Joan Wrabetz, CTO, Quali | John Rigney, CTO, Point3 Security | Bob Brodie, Partner, SUMOHeavy | Jim Hietala, V.P. Business Development Security, The Open Group| Chris Gervais, V.P. Engineering, Threat Stack | Peter Salamanca, V.P. of Infrastructure, TriCore Solutions | James E. Lee, EVP and CMO, Waratek
- Focus on the fundamentals. Know how attacks take place and implement defense mechanisms. Monitor continuously. You cannot make progress if you are always putting out fires. SQL injection is probably the biggest risk. Pick a strategy. Identify and monitor the security issues at hand and then move on to the next issue. Prioritize issues – don’t worry about shutting the attic window when the front door is open. Organize around sustainable performance.
- Being data-centric is the only solution to protect data and files when sending to the cloud or sharing with others. People are depending on their cloud solutions to secure their data. Salesforce just began allowing customers to encrypt data on their cloud. Clients using Dropbox and Box are using our solution to maintain security of files and email. After getting an email, you are able to control what recipients can and cannot do with it.
- Security configuration, customization, and access control.
Developing a robust application security program does not need to be a daunting task...
Perhaps, all it takes is rethinking your existing program and moving to one that leverages a continuous application security (CAS) approach. Organizations practicing CAS quickly determine how a new risk affects them, design a defense strategy, and measure their progress to 100% coverage. By implementing eight functions within an enterprise you can assemble an effective application security program.