This week I spoke with three security gurus – Dave Farrow, Senior Director Information Security, Barracuda, Alvaro Hoyos, Chief Information Security Officer at OneLogin, and Gene Meltser, Security Architect, Sophos – about their current application security challenges and how they overcome them.

Together we explored three specific challenges that security organizations, as well as organizations with complex technologies and highly-sensitive data, face regularly.

Challenge 1: Cybersecurity Resource Challenges

It’s no secret that organizations are appsec resource constrained. There are an estimated one million unfilled cybersecurity jobs in the United States, and budgeting within appsec and infosec continues to be a challenge (you can learn more about these challenges in our recent ‘2017 CISO Investment Blueprint’ Report).
How are our speakers overcoming this challenge?
  • A lot of companies are turning inward when it comes to DevSecOps (DevOpsSec / SecDevOps), training employees to promote better security processes throughout the organization, and building security into the software development lifecycle.
  • Additionally, by bridging the gap between builders and breakers through training programs, we can get better at recognizing and preventing vulnerable code.
  • Bug bounties act as a force multiplier, augmenting existing resources by providing valuable data to engineering teams and allowing them to dig deep into the SDL while the crowd delivers continuous testing to identify vulnerabilities much quicker than traditional methods.
  • Bug bounties can also help disseminate information across a larger attack surface, identifying potential systemic gaps, and taking advantage of a crowd of researchers with a much broader set of skills than resource-constrained internal teams who are often ill-equipped to identify every possible type of attack.

Challenge 2: Complexity of Technologies and Highly Sensitive Data

Security organizations, as well as companies in other complex verticals such as financial services and healthcare, have the burden of managing complex technologies and products, as well as protecting highly-sensitive data. As related to the previous challenge, it is increasingly difficult to receive consistent security coverage across specific or specialized areas and technologies.
How are our speakers overcoming this challenge?
  • Today companies need to do more with less, and with development processes becoming more agile companies are pushing out secure and high-quality products faster than ever. To do this successfully, companies have to ensure the builders and the breakers are on the same page.
  • Fast and consistent feedback is crucial here. Bug bounties provide both depth and breadth, covering complex attack surfaces that most organizations couldn’t achieve with internal teams or with traditional penetration tests alone.
  • With continuous development and release cycles, it’s hard to prevent and detect vulnerabilities across growing attack surfaces; bug bounty programs help organizations realize this as well as give developers prioritized bugs to work into their daily workflows.

Challenge 3: Difficulty in coverage at scale

As companies get bigger, develop more products, and implement more open source, third-party software, and microservices, traditional security testing methods struggle to provide breadth in security coverage these organizations require.
How are our speakers overcoming this challenge?
  • In a time when automation only goes so far, consultants can’t adequately scale, and internal resources are restrained, organizations are harnessing the power for the crowd to implement continuous feedback loops throughout the SDL–from assessing risk to incident response.
  • By engaging the security community at scale, organizations receive more continuous coverage and can utilize internal security resources to focus on deeper areas.
  • The findings surfaced through bug bounty programs help organizations continuously address vulnerabilities as they come in, reducing the potential for a breach while providing ample reaction time.

 

To hear the full discussion, listen to the on-demand webinar.