Denim Group with Alan Weinkrantz

———————————————————————————————————————

Dan: Well the important thing to understand is that in a dedicated hosting environment you have a lot more control over the environment that you’re going to be building or deploying these applications on.  And so that’s great because it gives you freedom to do a lot of different things, but it’s also important for you to understand that this code you’re developing, that has to be secure, but it also the infrastructure components that it sits on top of – those have to be properly secured  as well.  So it’s important to pay attention to, again, patch management, to making sure that the services, that your application servers and things of that nature are configured in a secure manner so that your infrastructure as well as the code that you’re writing is appropriately secure.  Really the best place to get started looking at application security or looking for application security resources is the open-web application security project or Owasp – www.owasp.org.  And what Owasp is it’s an organization that is dedicated to helping organizations create secure software, appropriately secure software, and spreading information and awareness about these potential issues.  You know the really interesting security things that are happening these days are all happening at the application level, so looking at security and the code that you’re writing, security for the code that you’re deploying – that’s been the case for a couple of years and I think that trend is going to continue as organizations go to take their application security efforts up to the next level.  We’re also seeing now that the economy is starting to thaw a little bit, organizations are coming out of their shells a little bit, whereas the focus used to be like “what is the absolute minimum amount of money that I can spend in order to address compliance issues,”  you know, whatever compliance requirements they have.  Folks are now starting to come out of their shells a little bit and say well let’s make sure we’re actually addressing risk associated with the software that we’ve got, with the infrastructure, and so rather than a very narrow focus on compliance it’s now coming back around to be focused on risk, which is great.  Also, you know what we’ve seen is organizations kind of coming out of the downturn, as things start to thaw out a little bit, they’re not super excited about having a bunch of hardware internally so they’re looking into things such as dedicated hosting in order to provide the hardware infrastructure that they need, and the configurability and control that they need, but not necessarily something that they have to have in-house.

Alan: So Dan, you know, in wrapping things up one of the other things that you brought up in our discussions were you almost have two different camps.  You have the security camp, you have the application developer’s camp, and sometimes the two don’t quite meet.  And one of your areas of expertise is helping and facilitating these two areas to work together as teams, and how… what are your suggestions for application teams, security teams, to work together in a dedicated hosting environment?

Dan: Alright in the application development world the CIO’s are familiar with, they understand the risk, but the people who actually have to fix the problems, the software developers, they don’t report to the CIO.  They report up through, you know, a development organization, you know potentially they report up through different lines of business, and the developers are not necessarily incented or rewarded for how secure they make things, they’re rewarded for features, functions, and timelines, so it is a really challenging thing for a lot of organizations to understand, is how do they get these groups talking to one another.  Because what the security folks are finding on their side are vulnerabilities, but those need to be communicated to the development teams as software defects.  If I’m in development… if I’m a developer I can either build a fancy new feature or I can fix security vulnerabilities.  Either of those activities is going to take… is going to take time out of my day, and so it’s important for security groups to be able to work with their development teams, to communicate their needs from a compliance side, from a risk side, and for the software developers to be able to work with them, and say “Well here is the budget that we have that we’re going to allocate to addressing our exposure to these risks.”  You know, as with a lot of things it’s all about communication, and it’s all about making sure that these two different groups that often have different aims are put in a situation where they can work together to successfully address the issues that come up.

Alan: Well thank you Dan this has been very informative.  How do our viewers find you on the internet?

Dan: Well we’re www.denimgroup.com, that’s our website, and you can follow me on Twitter I’m @danielcornell.

Alan: Thank you for your time today.

Dan: Thank you.