“Observability is critical to security”
Jeff Williams, CTO and Co-founder at Contrast Security, spoke to us about the newest State of Application Security in Financial Services Report. Read his insights on the importance of observability, how false positives affect security, and the best practices we should all take.
JAXenter: Hi Jeff, let’s talk about the State of Application Security in Financial Services report. According to the report, 75% of respondents are increasing their security budget in 2021. Why is this?
Jeff Williams: The big picture is that companies in the financial industry are actually software companies that happen to do finance. Large financials have thousands of software applications and more developers than Microsoft. Financials are also the largest consumer of open source software.
I could go on, but the point is that application security is critical to the future of these businesses. As applications get more complex, more interconnected, and more critical – the risk goes up exponentially. The report clearly lays out an untenable situation – the number of vulnerabilities and attacks are simply not sustainable. So, financials are increasing their spend and taking application security seriously.
JAXenter: How important is observability in relation to security?
Jeff Williams: Observability is critical to security. Unfortunately, particularly at the application layer, organizations have almost no visibility into what attackers are doing or even the operation of their own defenses. We believe that enhancing this visibility is the key to both creating more secure software as well as protecting it against attacks.
JAXenter: How do security false positives affect production?
Jeff Williams: False positives seem harmless – just a wild goose chase that leads to code that is not insecure. And that would be true if there were just a small number of them. But traditional appsec tools can produce hundreds, sometimes thousands, of these false reports for a single application. Imagine if your portfolio has a thousand applications, and you’re constantly changing them, deploying them many times a day. How could you deal with that level of reporting – millions of false reports a day – and a few true vulnerabilities buried in that haystack.
The problem is that without significant investigation, there’s no way to tell the difference between a true positive (real vulnerability) and a false positive. So what every organization does is to verify a small subset – such as reports considered “critical” while ignoring the rest. This whole process is insanely expensive, provides very little value, and leads to real vulnerabilities getting missed.
JAXenter: Data breaches are becoming more and more common. What are some security best practices we should all be aware of?
Jeff Williams: If you’re building web applications or web APIs, you need to take security seriously. Work out an initial threat model. Build great defenses and use interactive security testing to verify them continuously. Remember that open source components come with an obligation to keep them up to date, so build some processes around that. And use runtime protection for visibility and protection in production. Culturally, practice security in sunshine, so that everyone knows as much as possible about threats, defenses, vulnerabilities, attacks, and breaches.
JAXenter: How does DevOps intersect with security? Are more mature organizations always more secure?
Jeff Williams: Being great at DevOps makes you much better at building great software faster and more reliably. But it doesn’t necessarily mean it will be secure, unless that’s part of what you set out to build. In most organizations, even ones that are high-functioning DevOps shops, security works in a separate silo, not part of DevOps. This leads to bottlenecks, delays, and backlogs – all things that DevOps organizations try to avoid. So, unfortunately, DevOps can exacerbate appsec challenges in some organizations.
However, if you break down those silos, DevOps is the right path forward for security. Together, DevSecOps teams can be much more efficient at security, empowering developers to find and fix their own vulnerabilities without changing their process or delaying their pipelines. Ultimately, DevSecOps is the way to ensure that software organizations deliver fantastic applications without compromising speed or security.
JAXenter: On average, how much money does a successful security attack cost an organization?
Jeff Williams: We found that most organizations are experiencing more than 10 application security related breaches a year, and that the average breach costs more than $1m. These are stunning numbers.
JAXenter: Did any findings from the report surprise you?
Jeff Williams: The number of application related breaches is very high… much higher than you read about in the papers. Survey participants are hacked about once a month. So we should be reading about 10+ breaches a day. But companies are not required to reveal all types of breaches. That’s unfortunate, because it makes it difficult for consumers to make smart choices about where to do their financial activity.