Security is tricky for many companies since security is still somewhat complicated compared to the level of talent you can hire, and the amount of software needed to run an enterprise.
The solution is to have security controls that cross cut entire enterprises and give operators a place to control them, however what we have today is just a jumble of different solutions that consist more of blocking access rather than allowing the business to run securely.
It seems reasonable not to operate a business that you can't operate according to minimum standards. For example, you wouldn't run a construction company without a properly trained builder on staff.
Does "properly trained" include training to build buildings that cannot be brought down or otherwise compromised by sustained targeted attacks using the latest tools available? Most homes can burnt down with $20 of gas and a lighter; should we consider the builders of those homes to be improperly trained?
Of course not, because that's the company's core competency. A better analogy is running a construction company without quarterly software security audits. Because if that list of clients along with contact info gets leaked, that could be a GDPR violation.
>Security is tricky for many companies since security is still somewhat complicated compared to the level of talent you can hire, and the amount of software needed to run an enterprise.
Still we see databases with no password made accessible on the internet, maybe it is time that you don't employ someone that has no training at all, or offer a training program, say if your developer needs to use TodaysCoolDb then have him trained on how to use it instead of him copy pasting the hello world from a webpage.
The amount of money you invest in your data security should be proportional to the data you collect, so collecting less will help you or investing more into security training and auditing your own systems.
At a higher level, the hard part is for companies to realise data is a liability - one they have been ignoring for too long while reaping the benefits and letting users suffer breach after breach.
> Security is tricky for many companies ... The solution is to have security controls that cross cut entire enterprises and give operators a place to control them
This is definitely an area worth tackling, and one where multiple companies are recently growing. That's not the only issue though.
Security has many levels and the landscape is historically filled with opaque practices and prices. That does not entice people to go forward with security audits or solutions.
We've seen improvements on tooling with SAST but active security is largely pattern-based WAF or at the network level. This has poor signal/noise ratio and can't protect against more advanced attacks that target above the network layer (including HTTP).
Recent developments target more knowledge of the application and the business logic itself. Facebook itself for example has internal tools to detect data leaks. Being inside the application is much more useful because they don't just see data flying by but have knowledge of context and call sites, which allows to register malicious calls on the spot, protect just in time (even against zero days because you hinge on behaviour), and show the exact line of code (including the call stack) where the vulnerability lies, allowing to surface and fix it, or even virtual patch the vulnerability live.
> however what we have today is just a jumble of different solutions that consist more of blocking access rather than allowing the business to run securely.
The goal of ASMs is precisely to solve that: those tools are kind of APMs like New Relic or Datadog, only geared towards security. Big names like Facebook or Google have their own internal tools, but a couple of independent solutions have emerged already, and I think that having those companies around is going to be a shift that will benefit everyone's security in the long run, due to their accessibility and ease of use compared to previously existing solutions.
Of course, here are some Application Security Management platforms: Signal Sciences, Contrast Security, and as you may have guessed, Sqreen, where I work at.
(We have a culture of transparency, faith in our product and our vision, and are hell-bent on improving for security for everyone because it’s desperately needed, so no, I’m not afraid to name competitors)
Feel free to ask me anything here, on our Intercom support channel, or via email of you’re so inclined!
The solution is to have security controls that cross cut entire enterprises and give operators a place to control them, however what we have today is just a jumble of different solutions that consist more of blocking access rather than allowing the business to run securely.