Interview with Marc Shinbrood, President and CEO, Breach Security

Marc Shinbrood has more than 30 years of experience in information technology with the last 10 years dedicated specifically to the computer security industry.

What do you see as the biggest online security threats today?

Large organized underground groups of hackers targeting unsuspecting organizations with web applications that access core business data. They have created underground marketplaces for illicit goods, including credit card numbers, privacy information, email accounts, etc. These groups perfect their techniques and target specific organizations. These groups have also begun online extortion by either threatening Denial of Service attacks or encrypting some critical piece of data on a corporate server.

What is, in your opinion, the biggest challenge in protecting sensitive information at the enterprise level?

Most organizations have invested in a network security infrastructure with firewalls and intrusion detection systems to provide protection against network attacks. At the same time, organizations are building a web presence for their customers, business partners, and prospects. These web applications are all different and expose their own unique set of vulnerabilities that cannot be protected by network security. One of the biggest challenges for organizations is to balance the need for access to these applications with the need to protect against targeted web attacks.

Since communications for web applications flows through the network firewall, if security is not in place at the application layer the organization may have data leakage through the web application without their knowledge. Web applications, and if exploited could result in a highly publicized identity theft incidents.

Gartner Group has stated that over 75% of successful attacks against organizations have exploited vulnerabilities in web applications. Hackers attacking web applications are able to circumvent network security and gain access to an organization’s crown jewels, their customer data.

In your opinion, has the phenomenon known as Web 2.0 increased security awareness when it comes to web application security?

Web 2.0, the Web as a platform, has significantly increased the complexity of web applications as they grow to incorporate multiple components and integrate with other parts of the infrastructure (like databases and authentication systems). These multi-tiered applications have included security as a component of the application infrastructure, however the integration of all this disparate technologies has introduced more complexity than can be addressed by network security.

In addition, the stateless nature of the Internet and the potential vulnerabilities around ensuring the identity of an individual participating in a Web 2.0 enabled site is becoming more important since the on-line identity and personalized information inherent in the Web 2.0 sites relies on the ability of the user community to have trust in the underlying web application.

What are the biggest challenges organizations face when planning to improve web application security?

The biggest challenge for organizations is the sheer number of web applications that are in production. These applications have critical business value but have not been designed for security. As regulatory compliance audits and the risk of significant security breaches drive organizations to secure these applications, they are overwhelmed by the size of the task and the difficulty in implementing secure coding principles.

Where do you see the current security threats your products are guarding against in 5 years from now? What kind of evolution do you expect?

Web application threats will evolve as network security attacks have in the past, and web application security will be considered a necessary component for all web applications. That is, hackers will begin to exploit complex vulnerabilities resulting from multiple interactions between applications and devices within the network infrastructure.

As individual applications and devices are protected it will be their interactions that lead to the next level of attack, and organizations will need to plan and protect their critical web application assets.