One reason this problem persists is the cycle of DevOps and the expansion of open source, noted Curphy. “A lot of systems grow up in Shadow IT,” he said.
Because many of these Shadow IT systems are not developed in-house, their security is unreliable, and “managing these libraries of things that need to be constantly patched is really problematic,” Curphy said.
“A developer builds a piece of software or consumes someone else’s open source, and there’s lots of magic that happens behind the scenes,” Curphy said. “It’s very tough for a human to track it and the vulnerabilities associated with it.”
As the environment changes, so will the targets for hackers.
“User data is going to be the ultimate goal for all hackers. Hackers will try to find a way to get that data, and to defend you have to be as close as possible to the data and the application,” said Bellanger.
Conducting business online is more prevalent which also makes it more vulnerable because data has become valuable information for hackers. Bellanger said, “Health care records are the highest paid records on the black market.”
As commercial companies move from the old credit card swipe to the EMV chip, a new class of hackers is evolving. Bellanger said, “Point of sale assaults are now shifting to the application. More people will focus on hacking online.”
Even though enterprises are not yet feeling the pain of breaches needed to catapult security to the top of everyone’s priority lists, many developers and security professionals are searching for ways to ensure more visibility and control across their ecosystem so as not to be the company that suffers more impact than a name in the headlines.
“The application ecosystem has always been protected behind the network, but that wall is going to crumble,” said Bellanger. “Now applications are most likely in multiple data centers or clouds, and you can’t build protection for the application.”
The more they build, the more developers they need and the more information security people, Bellanger noted. “There are not enough people focusing on security whether they are builders or defenders, so we have to start automating more,” he continued.
Curphy argued that the security professionals, developers, and defenders are all only beginning to understand the enormity of the fragmentation issue.
“The typical company is relying on 20,000 to 30,000 software libraries. To track that is a tough task in this day and age. Heartbleed is a great example. For many companies, it’s a matter of spending time on the code they write versus the code they consume,” said Curphy.
The evolution of SaaS and the transition to the cloud have caused a shift in the architecture for many enterprises. While cloud is not a fixed attack surface, it is a shift of environment.
Sign up for CIO Asia eNewsletters.