The industry is seeing a rapid rise of new applications built with modern tools. And in this industry, Data Theorem is a leading provider of modern application security. The company's core mission is to analyze and secure any modern application -- anytime, anywhere. VMblog recently had the opportunity to speak with Doug Dooley, Data Theorem's chief operating officer, where we learned more about the company and their technology, as well as major trends affecting modern apps and security, the growth of serverless and more.
VMblog: This is the first time we've spoken. To kick things off, can you give us a
brief background on Data Theorem?
Doug Dooley: Yes, I would be happy to. Data Theorem was founded back in
2013 by Himanshu Dwivedi, who is a 20+ year veteran in the security industry
going back to his days as a security researcher at @stake. He is one of the
co-founders of iSEC Partners, and is an author of six security hacking books.
Data Theorem was founded to analyze and secure any
modern application, first starting with mobile applications, APIs, SPAs, and
now serverless apps. We started by building our Analyzer
Engine which is the industry's only solution that allowed companies to
build safer apps that protected data better by
applying dynamic run-time analysis on a continuous basis in search of security
flaws and data privacy gaps. Also, we delivered an open-source SDK
called TrustKit in 2015, which enables
companies to build safer apps that protect data better from SSL
Man-in-the-Middle attacks.
Today we are the company that analyzes and secures any modern application - anytime and
anywhere - with our advanced AppSec functionality expanding beyond mobile apps.
Data Theorem offers the industry's
first automated API discovery and security inspection solution aimed at
addressing API security threats introduced by today's enterprise serverless and
microservices applications.
VMblog: Why
did
the company evolve from just securing mobile apps to modern app protection last
year? What did it take to do this?
Dooley: The industry is seeing a rapid rise of new applications
built with modern tools such as Amazon Lambda, Google Cloud Functions and Azure
Functions, which allow developers to build applications at scale with less
infrastructure complexity and lower costs. However, these new apps often have
API services such as mobile SDK access for analysis and information retrieval
that enable unintended data loss due to outdated TLS encryption support and
lack of proper authentication and authorization policies. These services also
allow for rogue APIs to be used without proper enterprise security vetting,
called Shadow APIs, that go undetected by traditional security tools such as
gateways, proxies, and firewalls.
To do this, we had to deliver a continuous, fully automated
analyzer that could discover and inspect APIs on a broad scale no matter where
they were created, modified, or published. Our analyzer can discover and
inspect APIs that our customers create and use in public clouds, private API
gateways, mobile apps, single page apps, microservices, and even serverless
applications.
VMblog: How
has
the evolution been, and have you seen an uptake now that you have expanded your
capabilities? Why do you think that has been?
Dooley: Yes we have seen significant interest in our new solutions
beyond just mobile, now protecting all modern applications. This is because the
rate of change for developers with today's modern applications has accelerated
due to automation, agile development processes, and DevOps efficiency. However,
organizations are realizing these practices have introduced a new wave of
threats unaddressed by today's security automation tools. Organizations have
been looking for new solutions to protect their apps while not slowing down the
DevOps process.
VMblog: With
the growth of APIs, microservices, and serverless apps, what are some
of the major security issues
for enterprises you are seeing, and how do you help?
Dooley: There are some interesting challenges with these new APIs.
One of them is this concept of Shadow APIs we have been discussing. Because
most of these applications are now being built with a microservices
architecture, organizations have these smaller, reusable pieces of software
that ultimately support an enterprise application built on serverless.
Most of these microservices are interconnected with one
another through a communication via API, typically RESTful APIs. Whether these
RESTful APIs are viewed as publicly consumable or private, to be used only to
interconnect microservice fabric, either way, once it's on the public cloud it
is inherently accessible and available to any attacker or to any potential
malicious software. One of the things that's starting to happen for enterprises
is they don't know what they don't know on the number of APIs that are being
published and consumed by these modern applications using serverless.
This is a new challenge from a discovery perspective, to
find all of these Shadow APIs that exist in enterprise environments. That's one
of the new interesting challenges for security when developers are using
serverless functions.
Data Theorem's API Discover and API
Inspect are powerful API security tools that together address security concerns
such as Shadow APIs, serverless applications, and API gateway cross-check
validation by conducting continuous security assessments on API authentication,
authorization, encryption, availability, and overall data exfiltration concerns.
With
API Discover and API Inspect, users can
automate API discovery and security inspection seamlessly into their DevOps
practices and continuous integration/continuous delivery (CI/CD) processes to
protect any modern application, including microservices and serverless apps.
VMblog: Many
of our readers are busy with virtual containers and Kubernetes
orchestration. However, we're hearing a lot about the growth of serverless, e.g.
Lambda and Cloud Functions, in the public cloud. With all these big changes
happening in virtualization, what are some approaches to securing these
environments?
Dooley: Virtual containers and Kubernetes have been top-of-mind for
some DevOps teams, but many developers are designing their applications and new
features with Amazon Lambda, Microsoft Azure Functions, and Google Cloud
Functions. When developers chose serverless, they are essentially stating three
things: (1) we want to write code and see it working as quickly as possible;
(2) we don't want to be bothered with the complexities of servers, databases,
and virtual container management; and (3) we don't want to pay for idle time
when our apps are not being used. As a result, the major cloud providers have
taken on this burden of infrastructure management on behalf of these app
developers by giving them cloud functions.
What the cloud providers have not taken on is making sure
developers build applications that adhere to a business's own security and
compliance policies. That is still the responsibility of the security and
development teams who build these new cloud-native applications.
To secure these serverless and cloud-native applications,
we recommend focusing on your data and how it flows across all of your
applications. The most common way data flows and gets breached and stolen by
attackers in modern applications (mobile, web, microservices, etc.) is through
their APIs. If you have a comprehensive and continuous API security framework
that has been automated across your CI/CD workflows, then you are well ahead of
most organizations.
VMblog: What
are some of the data privacy and compliance risks with serverless
infrastructure? Can you share any advice and how can Data Theorem help?
Dooley: These new function-as-a-service (FaaS) capabilities in the
public cloud make it much easier for developers to build modern applications
quickly. However, serverless apps are extremely challenging for security teams
who attempt to use legacy technologies such as API Gateways and Web Application
Firewalls to manage and secure these modern APIs.
API Discover is a continuous automated discovery service
that finds new APIs, any changes to known APIs, and other cloud services
related to these APIs within customers' public cloud infrastructure
environments such as Amazon Web Services (AWS). These APIs are discovered on a
continuous basis by the Data Theorem Analyzer Engine.
API Inspect is a continuous automated security service that
finds potential vulnerabilities in the authentication, authorization, and
encryption layers of Internet-facing APIs based on their respective definitions
and API specification. These APIs are inspected on a continuous basis by the
Data Theorem Analyzer Engine. This service provides a policy-based alerting
system to help protect customers when problems arise due to changes in an API's
functional operation that differs from its API specification.
VMblog: What major trends do you see this year around modern apps
and security?
Dooley: Serverless applications will surpass applications
built in virtual containers. In 2017, Docker reached 24 percent adoption while Lambda
reached 23.5 percent adoption among AWS customers. Yet, the adoption rate of
serverless and cost savings are dramatically better than what virtual containers
can offer. Amazon, Google and Microsoft are all pushing serverless because it's
easier and cheaper for their customers. Also, once apps are built using
serverless frameworks, there's potentially a higher switch-over cost to go from
one cloud to another. Brand loyalty is something every subscription service is
hoping to achieve. Amazon, Google and Microsoft are strengthening their
offerings with serverless in the cloud which helps any size business build
mobile and modern web apps faster with less overhead.
That being said, and with everything discussed
earlier, security within DevOps will still remain an afterthought for most
businesses.
The practices of Agile and DevOps are being adopted widely among mainstream
businesses. The practice of automated Security for DevOps, aka DevSecOps, is
almost nowhere to be found. Applications are being updated in production on a
weekly and even daily basis, where in the past it would happen only a few times
annually. Today the most innovative companies have started to integrate
security into their DevOps practices. However, the traditions of most IT
security teams remain at odds with successful DevOps teams. As a result, we
will have to wait until 2020 and beyond before DevSecOps - automated security
integrated into DevOps - is a common practice.
VMblog: What can we expect to see from Data Theorem here in 2019?
Dooley: Our development, support and
engineering teams are built out and fairly mature, but we just started building
out some of our business functions such as marketing and sales. As we scale out
our operations, we will start to reach more customers faster, especially those
outside of the US.
VMblog: It's been great speaking with you, anything we missed as we
wrap up?
Dooley: We love giving customers a free
test-drive of our Analyzer Engine using their publicly available mobile apps
and APIs. These demos are easy for us to do and customers tend to be surprised
by what our Analyzer Engine can find on the initial evaluation, without having
to give us any information or do any work. We encourage anyone curious to see
how the Data Theorem platform works to sign-up for a quick demo https://datatheorem.com/demo to get a test-drive.
##