Application security is maturing, but independent testing is crucial

Skills shortage is making shift to continuous appsec testing challenging.

While application security (appsec) is firmly on the radar, most organizations still have a way to go before they can be confident about how secure their apps are. Devops is accelerating the speed of development and, coupled with the shift to the cloud, it’s creating many challenges for appsec. Breaking down walls between security, development and business units is easier said than done and the security skills shortage persists.

A world of continuous development requires continuous testing, but that’s far from a reality for most organizations. In fact, 10% of respondents to the SANS 2017 State of Application Security report admit they aren’t doing any security testing at all, 24% are relying on testing once a year or less, and just 12% are testing on a continuous basis. This has to change.

The security landscape is shifting

While organizations can easily find foundational best practices, such as OWASP (Open Web Application Security Project) they are just a foundation. The potential attack surface for most companies is growing rapidly and security teams are struggling to keep up with the pace of change. A wave of new public-facing web applications and cloud services must be balanced with existing custom and legacy apps.

The SANS report found that 15% of organizations had experienced a breach in the past two years, and, alarmingly, 21% don’t know whether they experienced a breach where applications were the source. We know how costly data breaches can be, so it’s vital to address appsec properly to prevent it from becoming the weak link in your defences.

Mitigating the skills shortage

It’s clear that there’s a shortage of skilled cybersecurity professionals. As many as 45% of organizations claim to have a problematic shortage of cybersecurity skills, according to ESG research, and 49% of cybersecurity professionals are solicited to consider other cybersecurity jobs at least once per week.

This has led many organizations to shift the security testing burden onto development teams. In fact, the number of development teams tasked with security testing has increased from 22% in 2015, to 51% in 2017, according to the SANS report. Deeper analysis reveals that teams with the most rapid development procedures are finding fewer vulnerabilities. The worry is that this is because their testing is superficial, so as not to interfere with fast feedback cycles.

Without proper training and under pressure to deliver code quickly, there’s a real risk that developers are failing to test application security as thoroughly as they should. Temporary hires, such as virtual CISOs, should be considered as a way to plug the gap and train internal staff properly. But third-party testing by experts is still vital for proper appsec and should not be dispensed with lightly.

Trust and verify

Without proper testing your security program is a wish list. If you want to fold security into the devops mix and achieve devsecops, then you must build cross-functional teams, apply security principles from day one of development, and foster a culture of genuine collaboration. Security cannot take a back seat because of deliverable deadlines or fear that modifying code will break the app.

It’s important to consider whether training overloaded development and engineering teams and making them more responsible for security is really the best route to take. Even if you do take that path, you still need to engage an external third-party with no vested interest in your app to verify your security measures are working as intended. There’s simply no substitute for the kind of expert, cutting edge penetration testing that a dedicated, external cybersecurity firm can provide.

Appsec improving

While the pursuit of speed in development has thrown up some fresh challenges, there are also some welcome advantages with regards to remediation. The SANS report found that 41% of serious or critical vulnerabilities are now fixed within a week and 75% are fixed within a month. In 2016, only 66% were fixed within a month, so that’s a positive trend.

As siloes are pulled down, collaboration increases, and more security testing is automated, we should see tangible improvements in application security, but third-party testing will remain a vital piece of the puzzle for the foreseeable future.


This article was originally posted in CSOOnline >

8 Cybersecurity Trends to Watch for in 2018

New challenges and threats will face IT departments in the year ahead.

As we stand on the threshold of another year, the war for our cybersecurity rages on. There have been many data breaches in 2017, most notably for Equifax, Verizon, and Kmart. But if you seek a silver lining in the cloud, perhaps you’ll be glad of the news that the global average cost of a data breach is down 10 percent over previous years to $3.62 million, according to the Ponemon Institute.

Sadly, the average size of a data breach increased nearly two percent. Clearly there’s still plenty of work to do. Here are some of the trends, challenges and threats that await us all in 2018. 

1. Ready for the General Data Protection Regulation (GDPR)?

If your preparations for the European Union’s new GDPR, explaining how companies should process, store, and secure the personal data of EU citizens are not complete, or at least well underway, then you better get moving. The GDPR will be enforced from May 25, and infringements can provoke fines of up to 20 million euros ($23.6 million at the time of writing) or 4% of the total worldwide annual turnover of the preceding financial year.

There’s speculation about what will happen when the regulation comes into force, but the question of precisely how much non-compliance with the GDPR will cost will be answered soon. There’s every chance the first few transgressions will result in punitive examples. We expect many organizations to be scrambling to adapt before May.

2. AI and machine learning can boost cyber defenses

As artificial intelligence and machine learning gathers pace, and starts to impact more and more industries, it’s sure to play a bigger role in cybersecurity. Because the battle with cyber criminals moves so quickly, machine learning models that can predict and accurately identify attacks swiftly could be a real boon for InfoSec professionals. In the year ahead, these models need to be trained and honed. However, there is also a risk that AI and machine learning may be exploited by attackers.

3. Be proactive about ransomware

Ransomware has been a growing threat for the last few years, but it continues to claim high profile victims. It’s not yet clear what everyone learned from the WannaCry ransomware attacks, but we hope that it highlighted the need to back up regularly, keep patching and updating systems, and strengthen your real-time defenses. If organizations took these simple steps, we could dramatically reduce the impact of ransomware.

4. Handling data breaches gracefully

It may prove impossible to eradicate data breaches completely, but every organization has the power to lessen the blow by handling the aftermath correctly. Equifax gave us a masterclass in how not to handle a data breach earlier this year. By delaying disclosure, misdirecting potential victims, and failing to patch a known vulnerability, it made a bad situation much worse. We can only hope this proves instructive for others in the year ahead.

5. The IoT is a weak link

We’re rolling out more and more sensor-packed, internet-connected devices, but the Internet of Things remains a major weak point for defenses. All too often these devices lack basic security features, or they aren’t properly configured and rely upon default passwords that can give attackers easy access. This in turn is giving rise to botnets, which can be used for volumetric attacks, to exfiltrate stolen data, to identify further vulnerabilities, or for brute force attacks. We need to properly secure the IoT or it will continue to be a big issue in 2018.

6. There’s still a skills shortage

The dearth of skilled cybersecurity professionals continues to be a major problem for many organizations. Even with average InfoSec salaries soaring, there are thousands of vacant positions. This is leading many companies to engage external cybersecurity services and virtual CISOs. We expect to see more outsourcing as employers try to find a way to fill the skills gap.

7. Developing a common language

While the specter of multiple threats looms, there are also positive developments in the cybersecurity realm, not least the creation and adoption of things like NIST’s Cybersecurity Framework. As more organizations and cybersecurity experts come together to develop a common language, our collective defenses grow stronger.

8. Patching and application testing

It’s not shiny or new or exciting, but it should still be top of mind. The number of data breaches in 2017 that were made possible by known vulnerabilities and a sluggish approach to patching is horrifying. It’s not enough to identify problems – you must act. Application testing falls into the same bucket, in that it’s too often ignored. If you don’t test your security, then you don’t know how secure your application is. If everyone put a fresh effort into patching and app testing in the coming year, we would see a dramatic drop in data breaches.

This article was originally posted in CSOOnline >

Michelle Drolet profiled in Boston Voyager

Today we’d like to introduce you to Michelle Drolet…

Thanks for sharing your story with us Michelle. So, let’s start at the beginning and we can move on from there.

As founder of Towerwall, I have to say my proudest moment was when I sold my company and then… I rebought it! I remained active on the board and when I realized the direction the new owners were taking I decided to make a bid and buy it back, three years after selling it.

I was an Army brat. My family was always on the move. Born in Ohio, I lived in 13 different states and attended three different high schools in my junior year alone. I became secretary of my class even though I arrived halfway through the school year. That was in Kansas. The experience made me more of an outgoing, “it’s okay to accept change” kind of person. Then I graduated from Northeastern with a BS degree in criminal justice and political science. I was always intrigued with getting the bad guys.

Overall, has it been relatively smooth? If not, what were some of the struggles along the way?

When I started my company in 1999, I needed a CTO to run the technology and services side. At the time, my husband was CIO at a biotech firm. I wrote him an offer letter, kind of tongue in cheek, but I was serious because I knew Larry would make a good addition to our team.

I put the letter on his pillow and didn’t say a word. I was asking him to quit his job, take a pay cut, and be subordinate to his wife. On top of that, I added, “Some days I won’t be able to pay you because we have to make payroll for employees first.” And that actually came to pass, more times than I care to remember. I tapped him on the back and said, “Hey, you’re not getting paid this month.”

That was a struggle on two fronts, both financially at home and in our relationship. Yet somehow we remain married! The other difficult aspect of running a company is employee relations. Helping people to realize that they might not be the right fit and then helping them find a new place to live or work. That’s the hardest part, keeping people too long. It becomes a disservice to both parties. Today we have the right team in place and feel blessed, and balanced.

Towerwall – what should we know? What do you guys do best? What sets you apart from the competition?

Towerwall is a provider of information security services with clients like Middlesex Savings Bank, Becker College, CannaCare, and Smith & Wesson. What sets us apart is that we’re not “one size fits all.” We specialize only in certain parts of InfoSec and call upon our partners who specialize in other areas, such as in forensics.

We offer vulnerability management and penetration testing for networks and applications. We also do architectural reviews. We’re quite good at helping organizations define what their risk tolerance is. We walk them through a security crisis, then together we build security strategies and programs.

I’m proud of founding the annual Information Security Summit hosted by Mass Bay Community College. I’m delighted to have received citations from State Senators Karen Spilka and David Magnani for our community service. Twice we have received a Cyber Citizenship award for community advocacy. We’re also involved with the School-to-Career program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

If you had to start over, what would you have done differently?

Would I have done things differently? No, not really. Everything happens for a reason. If it were easy, everyone would do it. Sometimes I took steps forward, sometimes I went backward. Sometimes I took steps sideways. I believe in keeping a positive attitude. Never looking at the negative but seeing the positives in a failure. Because nobody can win all the time. Not even Tom Brady or Chris Sale!


This article was originally posted on Boston Voyager >

Webinar: Second Nature Security: More Secure Networks through Behavior Modification, Security Awareness and Training

Join us for our second live webinar:

Second Nature Security: More Secure Networks through Behavior Modification, Security Awareness and Training

Wednesday, December 13, 2017   |   12:00 PM EDT – 1:00 PM EDT

Join us for a vCISO roundtable discussion featuring:

Michelle Drolet, Founder & CEO of Towerwall

Greg Neville, vCISO & Sr. Security Consultant, Towerwall


Register Now >