App Security: How Do You Know You’ve Got It Right?
EXECUTIVE ROUNDTABLESponsored by Veracode
Agenda5:30 – 6:00 p.m.
Registration & Networking
6:00 – 7:00 p.m.
Product Briefing
• Nick Holland, Director, Banking and Payments, Information Security Media Group• Anu Subramanian, VP of Engineering, Veracode• Joe Leonard, CISO Evangelist
7:00 – 8:30 p.m.
Distillery tour & tasting. Dinner and drinks to follow.
8:30 p.m.
Program Concludes
Introduction
Increasingly, organizations across all industries are using
applications to attract new customers and conduct business.
But cybercriminals are aware of these lucrative channels and
are continually looking for ways to exploit them. So how do
organizations know if their application security is sufficient to
protect their business from data breaches? And how do they
know if their code contains exploitable vulnerabilities?
This exclusive executive briefing on App Security: How Do You Know You’ve Got it Right? will provide
answers to these and other critical questions.
Guided by insights from Anu Subramanian, vice president of engineering at event sponsor Veracode,
and Joe Leonard, the company’s CISO evangelist, this invitation-only event will also draw upon the
experiences of the attendees, who will describe how they have deployed application security strategies
within their enterprises. Among the discussion topics:
• How are you ensuring the security of your applications in order to protect your critical data and brand?
• How do you even know if your application security program is effective?
• How has your organization integrated app security in its DevOps process?
You’ll have the opportunity to discuss the topic with a handful of senior executives and market leaders in
an informal, closed-door setting, from which you will emerge with new strategies and solutions you can
immediately put to work.
App Security: How Do You Know You’ve Got it Right? 2
Discussion Points
Among the questions to be presented for open discourse:
• What types of attacks are you commonly seeing via the application layer today?
• How are you ensuring the security of your applications in order to protect your critical data and brand?
• How do you even know if your application security program is effective?
• How is today’s threat landscape changing around application security?
• What are CISOs most frequently missing when it comes to application security?
• What are the greatest risks if an organization gets it wrong?
• How has your organization integrated app security in its DevOps process?
• How do you know if your organization’s application security program is effective? How should you be measuring this?
App Security: How Do You Know You’ve Got it Right? 3
About the ExpertsJoining our discussion today to share the latest insights and
case studies is:
Anu Subramanian
Vice President of Engineering Veracode
Subramanian is responsible for dynamic and data engineering. She has over 20 years of experience
in building and leading diverse engineering teams at companies that span the spectrum from start-
ups to Fortune 100 companies. She has built v1.0 products and has scaled products through their
maturity cycle.
Joe Leonard
Vice President of Engineering Veracode
Leonard is the founder and chief executive officer for CISO advisory services, which provides
business development services to manufactures and focuses on how to get better product adoption
in the marketplace. He has over 40 years of industry experience and has a diverse background
working at value-added resellers, a web hosting services provider, an internet services provider, a
cellular communications firm and the U.S. Army.
About Veracode
Veracode is a leader in helping organizations secure the software that powers their world.
Veracode’s SaaS platform and integrated solutions help security teams and software developers find
and fix security-related defects at all points in the software development lifecycle, before they can be
exploited by hackers. Our complete set of offerings help customers reduce the risk of data breaches,
increase the speed of secure software delivery, meet compliance requirements and cost-effectively
secure their software assets – whether that’s software they make, buy or sell.
Veracode serves more than 2,000 customers across a wide range of industries, including nearly one-
third of the Fortune 100 and more than 20 of Forbes’ 100 Most Valuable Brands.
App Security: How Do You Know You’ve Got it Right? 4
About the ModeratorLeading our discussion today is:
Nick Holland
Director, Banking and Payments Information Security Media Group
Holland, an experienced security analyst, has spent the last decade focusing on the intersection of
digital banking, payments and security technologies. He has spoken at a variety of conferences and
events, including Mobile World Congress, Money2020, Next Bank and SXSW, and has been quoted by
The Wall Street Journal, CNN Money, MSNBC, NPR, Forbes, Fortune, BusinessWeek, Time Magazine,
The Economist and the Financial Times. He holds an MSc degree in information systems management
from the University of Stirling, Scotland.
About ISMG
Information Security Media Group (ISMG) is the world’s largest media organization devoted solely
to information security and risk management. Each of our 28 media properties provides education,
research and news that is specifically tailored to key vertical sectors including banking, healthcare
and the public sector; geographies from the North America to Southeast Asia; and topics such as
data breach prevention, cyber risk assessment and fraud. Our annual global summit series connects
senior security professionals with industry thought leaders to find actionable solutions for pressing
cybersecurity challenges.
For more information, visit www.ismg.io.
App Security: How Do You Know You’ve Got it Right? 5
NOTE: In advance of this event, ISMG’s Nick Holland spoke about
application security with Veracode’s Anu Subramanian and Joe
Leonard. Here is an excerpt of that conversation.
Changing Landscape
NICK HOLLAND: How is today’s threat landscape changing around
application security?
ANU SUBRAMANIAN: The number of applications are increasing,
which expands the attack surface and creates more opportunity for
criminals and nation-states to attack. The OWASP Top 10 – 2017 –
lists the 10 most critical web application security risks:
• Injection
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Controls
• Security Misconfigurations
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging & Monitoring
Each risk has details broken out for: Is the application vulnerable?
Also offered are example attack scenarios, tips on how to prevent
and references, both OWASP and external.
What’s Missing?
HOLLAND: What are CISOs most frequently missing when it comes
to application security?
LEONARD: They’re missing developing a strategy with policies,
procedures and guidelines for application security throughout the
organization. In many organizations, testing is being performed on
a subset of applications, and the testing isn’t comprehensive or
continuous.
In addition, security testing results are scattered among multiple
security tools and it is hard to make risk decisions for the business.
This leaves tremendous gaps in the security posture that make the
organization vulnerable to an attack.
CONTEXT
App Security: How Do You Know You've Got It Right?Q&A with Veracode’s Anu Subramanian and Joe Leonard
Anu Subramanian
Joe Leonard
“Getting it wrong can lead to a data breach, which has significant costs for legal fees, professional services, fines, penalties and brand reputation damage.”
App Security: How Do You Know You’ve Got it Right? 6
Greatest Risks
HOLLAND: What are the greatest risks if an organization gets it
wrong?
SUBRAMANIAN: Getting it wrong can lead to a data breach, which
has significant costs for legal fees, professional services, fines,
penalties and brand reputation damage.
Some organizations never recover from a breach and go out of
business. Other organizations have had executive leadership
changes at the top as a result of the breach and the damage it
caused to the brand.
What keeps a CISO up at night? Getting it wrong. The question
is always asked, “Have I done all the right things to protect the
organization?”
Measuring Effectiveness
HOLLAND: How do you know if your application security program is
effective? How should you be measuring this?
LEONARD: In order for the security program to be effective, your
organization must be able to track application Key Performance
Indicators (KPIs) that are relevant to your business. These application
KPIs should be tracked monthly and be reported to show the
security program improvements that have been made and areas that
should be addressed to improve the overall security posture and
reduce risks.
The KPIs that are developed need to be relevant to business risk for
the most critical assets.
It is important to have the executive team engaged in the KPI
monthly reviews so they understand the risks and what remediation
needs to be done to reduce the organization's business risks. In
addition, there should be reporting that goes to the board so they
understand the application risks so they can make the proper
investments to protect the organization.
Adequate Protections
HOLLAND: How do today’s companies ensure security of
applications in order to protect critical data and brand reputation?
SUBRAMANIAN: The best approach to securing your applications is
using a layered application security testing approach that uses Static
Application Security Testing (SAST), Dynamic Application Security
Testing (DAST), Interactive Analysis Security Testing (IAST), Software
Composition Analysis (SCA) and penetration testing. The results of
all the testing is centralized in a dashboard so the organization can
make risk decisions based on business relevance.
Components of application security testing:
• Static Application Security Testing (SAST)
• White box security testing
• Analyzing the binary without executing the application
• Finding vulnerabilities early in SDLC
• Dynamic Application Security Testing (DAST)
• Black box security testing
• Analyzing application run-time vulnerabilities
• Finding vulnerabilities toward the end of the SDLC (more
expensive to fix)
• Software Composition Analysis (SCA)
• Analyzing open source libraries
• National Vulnerability Database (NVD)
• Interactive Analysis (IAST)
• Analyzing running application code for security vulnerabilities
• Penetration Testing
• Black box security testing
• Some vulnerabilities cannot be found with automated tools.
• Some industry regulations require penetration testing.
• Centralized SaaS portal
• Centralizing all application security testing to one dashboard
• Providing ability to enumerate risks and make better risks
decisions
No one testing approach covers everything, so different testing
methodologies are required to identify vulnerabilities or software
flaws.
Key Advice
HOLLAND: What is the one key piece of advice you’d share with
today’s security professionals when it comes to application security?
LEONARD: Security should be integrated into business and enable
success for governance, compliance and improving business
outcome. Understand the business and how you can help protect
the organization. n
“Security should be integrated into business and enable success for governance, compliance and improving business outcome.”
App Security: How Do You Know You’ve Got it Right? 7
Notes
App Security: How Do You Know You’ve Got it Right? 8
Notes
App Security: How Do You Know You’ve Got it Right? 9
902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io
About ISMG
Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information
security and risk management. Each of our 28 media properties provides education, research and news that is
specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from
North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud.
Our annual global Summit series connects senior security professionals with industry thought leaders to find
actionable solutions for pressing cybersecurity challenges.
Contact
(800) 944-0401 • [email protected]
CyberEd
