Your SlideShare is downloading. ×
  • Like
Growing Threats Make Application Security a Pervasive Necessity, Rather than a Bolted-On Concept that resides in applications.
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Growing Threats Make Application Security a Pervasive Necessity, Rather than a Bolted-On Concept that resides in applications.


Transcript of a BriefingsDirect on how perimeter security is no longer adequate to protect enterprise data that resides in applications.

Transcript of a BriefingsDirect on how perimeter security is no longer adequate to protect enterprise data that resides in applications.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Growing Threats Make Application Security a PervasiveNecessity, Rather than a Bolted-On ConceptTranscript of a BriefingsDirect on how perimeter security is no longer adequate to protectenterprise data that resides in applications.Listen to the podcast. Find it on iTunes. Sponsor: HPDana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. Im Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives. Once again, were focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end- users alike. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]Im now joined by our co-host for this sponsored podcast, Raf Los, who is the Chief SecurityEvangelist at HP Software. Welcome back, Raf.Rafal Los: How do you do?Gardner: And where are you coming to us from today on your travels?Los: Were in beautiful Nashville, Tennessee, the home of Opryland and country music.Gardner: And is it an HP event there?Los: Were sitting right here at HP Protect, from HP Protect 2012, Day 2.Gardner: Very good. We have a fascinating show today. Were going to be learning how thetelecommunications industry is tackling security, managing the details and the strategy, that’sboth the tactics and the strategy simultaneously, to an advantage and extending that value ontotheir many types of customers.With that, allow me to please introduce our guest, George Turrentine, Senior IT Manager at alarge telecom company, with a focus on IT Security and Compliance. Welcome, George.George Turrentine: Thank you.Gardner: Id like also to point out that George started out as a network architect and transitionedto a security architect and over the past 12 years, George has focused on application security,studying vulnerabilities in web applications using dynamic analysis, and more recently, usingstatic analysis. George holds certifications in CISSP, CISM, and CRISC. Page 1
  • 2. George, let me start with you. Many of the organizations that Im familiar with are very focusedon security, sometimes at a laser level. Theyre very focused on tactics, on individualtechnologies and products, and looking at specific types of vulnerabilities, but I sense that,sometimes, they might be missing the strategy, the whole greater than the sum of the parts, thatthere is lack of integration in some of these aspects, of how to approach security.I wonder if that’s what you are seeing and if that’s an important aspect of keeping a largetelecommunications organization able to be fairly robust, when it comes to a security posture.Attacks have changedTurrentine: We definitely are at the time and place where attacks against organizations have changed. It used to be that you would have a very focused attack against an organization by a single individual or a couple of individuals. It would be a brute-force type attack. In this case, were seeing more and more that applications and infrastructure are being attacked, not brute force, but more subtly. The fact that somebody that is trying to effect an advanced persistent threat (APT) against a company, means theyre not looking to set off any alarms within theorganization. Theyre trying to stay below the radar and stay focused on doing a little bit at a timeand breaking it up over a long period of time, so that people don’t necessarily see what’s goingon.Gardner: Raf, how does that jibe with what you are seeing? Is there a new type of awarenessthat is, as George points out, subtle?Los: Subtlety is a thing. Nobody wants to be a bull-in-a-china-shop hacker. The reward may behigh, but the risk of getting caught and getting busted is also high. The notion that somebody isgoing to break in and deface your website is childish at best today. As somebody once put it tome, the good hackers are the ones you catch months later; the great ones, youll never see.That’s what were worried about, right. Whatever buzzwords we throw around and use, thereality is that attacks are evolving, attackers are evolving, and they are evolving faster than weare and than we have defenses for.As Ive said before, it’s like being out in a dark field chasing fireflies. We tend to be chasing theshiny, blinky thing of the day, rather than doing pragmatic security that is relevant to thecompany or the organization that youre supporting.Gardner: One of the things Ive seen is that there is a different organization, even a differentculture, in managing network security, as opposed to, say, application security, and that often, Page 2
  • 3. theyre not collaborating as closely as they might, and that offers some cracks between theirdifferent defenses.George, it strikes me that in the telecommunications arena, the service providers are at anadvantage, where theyve got a strong network history and understanding and theyre beginningto extend more applications and services onto that network. Is there something to be said thatyoure ahead of the curve on this bridging of the cultural divide between network andapplication?Turrentine: It used to be that we focused a whole lot on the attack and the perimeter and tryingto make sure that nobody got through the crunchy exterior. The problem is that, in the modernnetwork scenario, when youre hosting applications, etc., youve already opened the door for theevent to take place, because youve had to open up pathways for users to get into your network,to get to your servers, and to be able to do business with you. So youve opened up these holes.Primary barrierUnfortunately, a hole thats opened is an avenue of an attack. So the application now hasbecome the primary barrier for protecting data. A lot of folks havent necessarily made thattransition yet to understanding that application security actually is your front row of attack anddefense within an organization.It means that you have to now move into an area where applications not only can defendthemselves, but are also free from vulnerabilities or coding flaws that can easily allow somebodyto grab data that they shouldnt have access to.Gardner: Raf, it sounds as if, for some period of time, the applications folks may have had alittle bit of an easy go at it, because the applications were inside a firewall. The network wasgoing to be protected, therefore I didnt have to think about it. Now, as George is pointing out,the applications are exposed. I guess we need to change the way we think about applicationdevelopment and lifecycle.Los: Dana, having spent some time in extremely large enterprise, starting in like 2001, for a number of years, I cant tell you the amount of times applications’ owners would come back and say, "I dont feel I need to fix this. This isn’t really a big risk, because the application is inside the firewall.” Even going back that far, though, that was still a cop-out, because at that time, the perimeter was continuing to erode. Today, its just all about gone. That’s the reality.So this erosion of perimeter, combined with the fact that nothing is really internal anymore,makes this all difficult. As George already said, applications need not just to be free of bugs, butactually be built to defend themselves in cases where we put them out into an uncertain Page 3
  • 4. environment. And well call the Internet uncertain on a good day and extremely hostile on everyother day.Turrentine: Not only that, but now developers are developing applications to make them featurerich, because consumers want feature-rich applications. The problem is that those samedevelopers arent educated and trained in how to produce secure code.Los: I think nothing illustrates that point better than looking at the way we built legacyapplications in extremely large enterprises that were introduced by a fantastic technology in1976-1977 called the Rack app. It was really well built for the applications of the time,maintaining data access and authentication at a reasonable level.Then, some of the applications continued to be built and built and built and built over time. Wedecided, at some point that we make them accessible “outside the firewall.” We slapped the webinterface on them and blew all those controls out. So something that was once a solid technologyis now a dumb database where anybody can access it, once they get back some spaghetti code inHTML.Turrentine: The other thing is that too many organizations have a tendency to look at that bigevent with a possibility of it taking place. Yet hackers aren’t looking for the big event. Theyreactually looking for the small backdoor that they can quietly come in and then leverage thataccess. They leverage the trust between applications and servers within the infrastructure topromote themselves to other boxes and other locations and get to the data.Little applicationsWe used to take for granted that it was protected by the perimeter. But now it isn’t, becauseyou have these little applications that most security departments ignore. They don’t test them.They don’t necessarily go through and make sure that theyre secure or that theyre even testedwith either dynamic or static analysis, and you are putting them out there because they are “lowrisk.”Los: The lesson learned is that organizations that have 500, 600, 1,000, 1,200, or 2,000applications in the corporate space have to make a decision on what’s going to be important,what they are going to address, what they are going to let fall behind. There are a certain numberof apps you can review, a certain number of assessments you can do, and everything else just hasto fall away.What youve just highlighted is the extreme need to understand, not just the application as asingular entity, but interconnectedness, data interchange, and how data actually flows.Just because you are developing a marketing app over here, that app may be no big deal in avacuum, but because of server consolidation, virtual machines (VMs), or the cloud-computingenvironment you are deploying it to, it now shares space with your financial system. Page 4
  • 5. You have to know that, when youre doing analysis of these things. And this actually makes it anecessity that security people have to have these types of analysis skills and look just past thatone autonomous unit.Turrentine: It may actually be more diverse than that due to the fact that there may be anintermediary system that both the non-secure app and the “risky” app talk to, and just by the factthat they are interconnected, even though its not a direct interconnection, they are still exposed.Gardner: Let’s chunk this out a little bit. On one side, we have applications that have beenwritten over any number of years, or even decades, and we need to consider the risks of exposingthem, knowing that theyre going to get exposed. So is that a developer’s job? How do we makethose older apps either sunsetted or low risk in terms of being exposed?And on the other side, weve got new applications that we need to develop in a different way,with security instantiated into the requirements right from the get-go. How do you guys parseeither side of that equation? What should people be considering as they approach these issues?Turrentine: Im going to go back to the fact that even though you may put security requirementsin at the beginning, in the requirements phase of the SDLC, the fact is that many developers aregoing to take the low path and the easiest way to get to what is required and not necessarilyunderstand how to get it more secure.This is where the education system right now has let us down. I started off programming 30years ago. Back then, there was a very finite area of memory that you could write an applicationinto. You had to write overlays. You had to make sure that you moved data in and out of memoryand took care of everything, so that the application could actually run in the space provided.Nowadays, we have bloat. We have RAM bloat. We have systems with 16 to 64 gigabytes ofRAM.Los: Just to run the operating system.Weve gotten carelessTurrentine: Just to run the operating system. And weve gotten careless. Weve gotten to wherewe really don’t care. We don’t have to move things in and out of memory, so we leave it inmemory. We do all these other different things, and we put all these features and functionality inthere.The schools, when they used to teach you how to write in very small areas, taught how tooptimize the code, how to fix the code, and in many ways, efficiency and optimization gave yousecurity. Page 5
  • 6. Nowadays, we have bloatware. Our developers are going to college, they are being trained, andall theyre learning is how to add features and functionality. The grand total of training they get insecurity is usually a one hour lecture.Youve got people like Joe Jarzombek at the Department of Homeland Security (DHS), with aSoftware Assurance Forum that he has put together. Theyre trying to get security back into thecolleges, so that we can teach developers that are coming up how to develop secure code. If wecan actually train them properly and look at the mindset, methodologies, and the architecture toproduce secure code, then we would get secure applications and we would have secure data.Gardner: That’s certainly a good message for the education of newer developers. How aboutbuilding more of the security architect role into the scrum, into the team that’s in development?Is that another cultural shift that seems to make sense?Los: We can probably see some of that in the culture that’s developing around the DevOpsmovement. To some extent, its just a reactive move to the poor quality that’s been put out overthe last couple of years of software, the reactive move by the smart people in the softwaredevelopment industry to build tribes of knowledge and of intelligence.It goes all the way up and down the development and software lifecycle chain, from the personwho makes requirements happen formally, to the people who write the source code, to those whopackage it, test it, deploy it, monitor it, and secure it.It’s a small agile group of folks who all have a stake in, not just a piece of the softwaredevelopment lifecycle, but that software package in general. Whether they own 1 or 10 pieces ofsoftware or applications, it’s almost immaterial. That ownership level is the important part, andthat’s where youre going to see maybe some of the changes.Turrentine: Part of it also is the fact that application security architects, who I view differentlythan a more global security architect, tend to have a myopic view. Theyre limited, in many cases,by their education and their knowledge, which we all are.Face it. We all have those same things. Part of the training that needs to be provided to folks is tothink outside the box. If all youre doing is defining the requirements for an application basedupon the current knowledge of security of the day, and not trying to think outside the box, thenyoure already obsolescent, and thats imposed upon that application when it’s actually put intoproduction.Project into the futureYou have to start thinking further of the evolution that’s going on in the way of the attacks, seewhere it’s going, and then project two years or three years in the future to be able to trulyarchitect what needs to be there for today’s application, before the release. Page 6
  • 7. Gardner: What about legacy applications? Weve seen a lot of modernization. Were able tomove to newer platforms using virtualization, cutting the total cost when it comes to the supportand the platform. Older applications, in many cases, are here to stay for quite a few number ofyears longer. What do we need to think about, when security is the issue of these apps gettingmore exposure?Turrentine: One of the things is that if you have a legacy app, one of the areas that they alwaystry to update, if theyre going to update it at all, is to write some sort of application programminginterface (API) for it. Then, you just opened the door, because once you have an API interface, ifthe underlying legacy application hasn’t been securely built, youve just invited everybody tocome steal your data.So in many ways, legacy applications need to be evaluated and protected, either by wrapperapplication or something else that actually will protect the data and the application that has to runand provide access to it, but not necessarily expose it.I know over the years everybody has said that we need to be putting out more and more webapplication firewalls (WAFs). I have always viewed a WAF as nothing more than a band aid, andyet a lot of companies will put a WAF out there and think that after 30 days, theyve written therules, theyre done, and theyre now secure.A WAF, unless it is tested and updated on a daily basis, is worthless.Los: That’s the trick. You just hit a sore spot for me, because I ran into that in a previous life andit stunk really bad. We had a mainframe app that had ported along the way that the enterprisecould not live without. They put a web interface on it to make it remotely accessible. If thatdoesn’t make you want to run your head through a wall, I don’t know what will.On top of that, I complained loud enough and showed them that I could manipulate everything Iwanted to. SQL injection was a brand-new thing in 2004 or something, and it wasn’t. They werelike, fine, "WAF, let’s do WAF." I said, "Let me just make sure that were going to do this whilewe go fix the problem." No, no, we could either fix the problem or put the WAF in. Rememberthat’s what the payment card industry (PCI) said back then.Turrentine: Yeah.Los: You could either fix the problem or put mitigating control WAFs into the slipstream andthen we were done, and let’s move on. But it’s like any security control. If you put it in and justleave it there, tune it once, and forget that it exists, that’s the data that starts to fail on you.Gardner: I think there is even more impetus now for these web interfaces, as companies try tofind a shortcut to go to mobile devices, recognizing that theyre having a hard time deciding on anative interface or which mobile device platform to pursue. So theyre just webifying the appsand data so that they can get out to that device, which, of course, raises even more data andapplications in this field for concern. Page 7
  • 8. Los: I liked that word, "webifying."Tactics and strategyGardner: So lets get back to this issue of tactics and strategy. Should there be someone who islooking at both of these sides of the equation, the web apps, the legacy, vulnerabilities that arecoming increasingly to the floor, as well as looking at that new development? How do weapproach this problem?Turrentine: One of the ways that you approach it is that security should not be an organizationunto itself. Security has to have some prophets and some evangelists -- we are getting intoreligion here -- who go out throughout the organization, train people, get them to think abouthow security should be, and then provide information back and forth and an interchange betweenthem.That’s one of the things that Ive set up in a couple of different organizations, what I would call asecurity focal point. They weren’t people in my group. They were people within theorganizations that I was to provide services to, or evaluations of.They would be the ones that I would train and work with to make sure that they were the eyesand ears within the organizations, and Id then provide them information on how to resolve issuesand empower them to be the primary person that would interface with the development teams,application teams, whatever.If they ran into a problem, they had the opportunity to come back, ask questions, and geteducated in a different area. That sort of militia is what we need within organizations.Ive not seen a single security organization that could actually get the headcount they need. Yetthis way, youre not paying for headcount, which is getting people dotted lined to you, or that isworking with you and relying on you. You end up having people who will be able to take themessage where you can’t necessarily take it on your own.Gardner: Raf, in other podcasts that weve done recently we talked about culture, and now weretalking organization. How do we adjust our organization inside of companies, so that securitybecomes a horizontal factor, rather than group oversight? I think that’s what George was gettingat. Is that it becomes inculcated in the organization.Los: Yeah. I had a brilliant CISO I worked under a number of years back, a gentleman by a nameof Dan Conroy. Some of you guys know him. His strategy was to split the security organizationessentially uneven, not even close to down the middle, but unevenly into a strategy, governance,and operations.Strategy and governance became the team that decided what was right, and we were thearchitects. We were the folks who decided what was the right thing to do, roughly, conceptually Page 8
  • 9. how to do it, and who should do it. Then, we made sure that we did regular audits and performedgovernance activities around its being done.Then, the operational part of security was moved back into the technology unit. So the networkteam had a security component to it, the desktop team had a security component to it, and theserver team had security components, but they were all dotted line employees back to the CISO.Up to dateThey didn’t have direct lines of reporting, but they came to our meetings and reported onthings that were going on. They reported on issues that were haunting them. They asked foradvice. And we made sure that we were up to date on what they were doing. They brought usinformation, it was bidirectional, and it worked great.If youre going to try to build a security organization that scales to today’s pace of business, thatsthe only way to do it, because for everything else, youre going to have to ask for $10 million inbudget and 2,000 new headcounts, and none of those is going to be possible.Turrentine: I agree.Gardner: How would we describe that organization? Is there a geometric shape? You hear aboutT or waterfall or distributed, but how do we describe the type of organization you just describedfor our security?Los: An amoeba, or to be more serious, more like a starfish really. If youre looking at the waythese organizations are, you have the central group and then tentacles that go out to all the othercomponents of it. I don’t have a flashy name for it, but maybe security starfish.Gardner: George, how would you describe it?Turrentine: I don’t know that it would be a single organism.Gardner: More of a pond water approach, right?Turrentine: Yeah.Gardner: Moving to looking at the future, we talked about some of the chunks with legacy andwith new applications. What about some of the requirements for mobile in cloud?As organizations are being asked to go with hybrid services delivery, even more opportunity forexposure, more exposure both to cloud, but also to a mobile edge, what can we be advisingpeople to consider, both organizationally as well as tactically for these sorts of threats or thesesorts of challenges? Page 9
  • 10. Turrentine: Any time you move data outside the organization that owns it, youre running intoproblems, whether it’s bring your own device (BYOD), or whether it’s cloud, that is a publicoffering. Private cloud is internal. Its just another way of munging virtualization and calling itsomething new.But when you start handling data outside your organization, you need to be able to care for it in aproper way. With mobile, a lot of the current interface IDEs and SDKs, etc., try to handleeverything as one size fits all. We need to be sending a message back to the owners of thoseSDKs that you need to be able to provide secure and protected areas within the device forspecific data, so that it can either be encrypted or it can be processed in a different way, hashed,whatever it is.Then, you also need to be able to properly and cleanly delete it or remove it should something tryand attack it or remove it without going through the normal channel called the application.Secure evolutionI don’t think anybody has a handle on that one yet, but I think that, as we can start working withthe organizations and with the owners of the IDEs, we can get to the point where we can have amore secure evolution of mobile OS and be able to protect the data.Gardner: Raf, any thoughts before we close out on some of these pending opportunities orchallenges when it comes to moving to the mobile edge and to the cloud and hybrid services?Los: To echo some of the things our executives have been saying, without sounding too muchecho, I agree that every decade or so, we hit a directional point. We make either a hard right or ahard left, or we take a turn as an industry, maybe even as a society.That does sort of coincide with the fact that technology takes roughly 10 years to understand thefull impact of it, once it has been implemented and released, as I read somewhere a while back.Were at one of those points, as we sit here right now, where many of the people, the kids goingthrough school today, don’t know what a cassette tape is.When I mention my Zip drive from back in my technology days, they look at me funny. Floppydisks are something they have only heard about or seen in a photo. Everybody texts now. Sotechnology is evolving at a pace that has hit a fever pitch, and society is quickly trying to catchup or pretend like it’s going to catch up.Meanwhile, enterprises are trying to capitalize on those technology changes, and security has totransform with it. Weve got to get out of the dark ages of, "What do you do for the company?"Oh, I do security." No, you don’t. You serve the business, in whatever capacity they tell you to.If you can’t understand that, then youre going to get stuck in those dark ages, and we just won’tgo forward. That’s my line of thinking. Page 10
  • 11. Were at the point where something has to happen. Being here, walking through the show floor,and having conversations with people like George, John South, and other people who are leadingsecurity organizations throughout the big industry players, and some really small ones, I amhopeful. I think we actually get it. It’s, "Can we scale it and teach others to think this way fastenough to make an impact before it all goes wrong again?"Gardner: All right. I am afraid we will have to leave it there. With that, I would like to thank ourco-host, Rafal Los, who is the Chief Security Evangelist at HP Software. It’s always a pleasure,Raf, thanks so much.Los: Thanks for having me.Gardner: And Id also like to thank our supporter for this series, HP Software, and remind ouraudience to carry on the dialogue with Raf through his personal blog, as well as through theDiscover Performance Group on LinkedIn.Id also like to extend a huge thank you to our special guest, George Turrentine, the SeniorManager at a large telecom company. Thank you so much, George.Turrentine: Thank you.Gardner: And you can gain more insights and information on the best of IT PerformanceManagement at you can also always access this and other episodes in our HP Discover Performance PodcastSeries on iTunes under BriefingsDirect.Im Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for thisongoing discussion of IT innovation and how it’s making an impact on people’s lives. Thanksagain for listening, and come back next time.Listen to the podcast. Find it on iTunes. Sponsor: HPTranscript of a BriefingsDirect on how perimeter security is no longer adequate to protectenterprise data that resides in applications. Copyright Interarbor Solutions, LLC, 2005-2012. Allrights reserved.You may also be interested in: • HP Discover Performance Podcast: McKesson Redirects IT to Become a Services Provider That Delivers Fuller Business Solutions • Investing Well in IT With Emphasis on KPIs Separates Business Leaders from Business Laggards, Survey Results Show Page 11
  • 12. • Expert Chat with HP on How Better Understanding Security Makes it an Enabler, Rather than Inhibitor, of Cloud Adoption• Expert Chat with HP on How IT Can Enable Cloud While Maintaining Control and Governance• Expert Chat on How HP Ecosystem Provides Holistic Support for VMware Virtualized IT Environments Page 12