Post banner
Application SecurityCompliance 10 Min Read

18 Compliance Experts & AppSec Professionals Reveal the Biggest AppSec Compliance Mistakes

According to Verizon’s 2019 Data Breach Investigations Report, web applications are the source of about one in four data breaches, and in 60 percent of web application attacks, “the compromised web application vector was the front-end to cloud-based email servers.” Additionally, more than one in five breaches (21 percent) caused by errors can be traced back to misconfiguration of cloud platforms.

While it’s clear that web application security remains a prominent concern, the compliance consequences of inadequate web application security are of increasing concern as regulations are becoming more stringent in response to the growing risk to sensitive user data. Today, companies must be vigilant to keep up with compliance requirements for regulations such as HIPAA, GDPR, PCI, SOC 2, and CCPA.

Application security monitoring tools like Threat Stack Application Security Monitoring help companies eliminate blind spots for better compliance. Threat Stack Application Security Monitoring detects vulnerabilities in your code and blocks attacks in real-time throughout the entire application lifecycle, from development through production. A unified application security solution, Threat Stack Application Security Monitoring adds new functionality to the Threat Stack Cloud Security Platform® at no additional cost to offer full stack security observability from the cloud management console to the application layer. 

Despite a growing awareness of compliance risks and requirements, many companies make mistakes when it comes to application security monitoring that can have dire regulatory consequences. To learn more about the most common mistakes companies make with web application monitoring that can impact compliance, we reached out to a panel of compliance experts and application security professionals and asked them to answer this question:

“What’s the biggest compliance-related mistake companies are making when it comes to application security monitoring?”

Read on to learn more about the compliance-related mistakes you could be making when it comes to application security monitoring and how to prevent them.


John Colascione

@John_Colascione 

John Colascione is the Chief Executive Officer of Internet Marketing Services Inc.

“One of the biggest compliance-related mistakes companies make when it comes to application security monitoring is…”

Unnecessary risk, such as companies storing personally identifiable information they don’t even need in the database. Several times, while inspecting a client’s database, I have discovered they are storing PII that is not even necessary to have in there such as employee, staff, or customer social security numbers when it is already recorded in the company’s paper files. Why even have it in there and risk a data-breach or compromise? Often, those in a business who are responsible for this sort of preventive security review don’t even know what may or may not be inside a web or company database. This information should be reviewed from time to time. If it is not required to be inside a web- or network-based environment, get it out of there.


Marty Puranik

@AtlanticNet

Marty Puranik is the Founder, President, and CEO of Atlantic.Net, a profitable and growing hosting solutions provider in Orlando.

“The biggest mistake is monitoring for compliance requirements versus monitoring for actual threat assessment…”

Often, the priority is checking the box to complete compliance requirements so the project can move forward. However, after a project is in production the DevOps teams will want to have more visibility and actually see threats that may not be visible by a limited security posture that only meets the minimum compliance requirements.


Paul Gordon

Paul works in Business Development at PCG by Micro-Office Systems. He has significant work experience in both healthcare and large data system development. At Nationwide Insurance, he led technical and functional teams to develop an employee self-service portal and call center in the human resources department. He also transformed a call center operating with manual processes for 40,000 employees (operating during business hours only) to a system of automated benefits sign-up, item fulfillment, and coordinated issue resolution.

“The biggest issue we see is lack of tracking of who accessed the data…”

This is a HIPAA issue, and we are finding that while some of the PE entities know about investing in companies, they may not know about specifics of healthcare data.


Gabe Turner

Gabe Turner is the Director of Content at Security Baron. He is an attorney and journalist with a passion for home tech and secure, efficient living. Since graduating from NYU Law, he has maintained a paradoxical existence of trying to live life adventurously while remaining staunchly risk-averse.

“The biggest compliance-related mistakes that companies make when it comes to application security monitoring is…”

Simply thinking that compliance is to be reviewed once and then forgotten about. Rather, compliance regulations like the State Privacy Acts, HIPAA or even customized contract requirements need to be dealt with on an ongoing basis in order to prevent security breaches.


Laura K. Inamedinova

@Inamedinova

Laura K. Inamedinova is a communication and PR consultant who operates under her personal brand, LKI Consulting. She helps companies understand what their communication goals are and what kind of communication they seek and later, if needed, implement it. She has helped crypto companies raise more than $200 million USD in total.

“The biggest compliance-related mistake is not having a security plan…”

It should be a core value of the company. According to the latest statistics, only 31 percent of employees receive proper cybersecurity training. When people are not educated enough, it could lead to cybersecurity breaches. It can be unexpected, but 72 percent of people can’t identify malware that steals financial information.

Don’t underestimate cyber threats. By not using a safe software provider for company applications, vulnerable data can be easily accessed. The security plan should also define how your employees are identified and granted access to data. All data must be encrypted and segmented, depending on the network. It’s crucial to instruct your employees on how to generate strong passwords and how to protect them (goodbye sticky notes). You can’t risk leaking all your data just because of one phishing email.


William Taylor

William Taylor is the Career Development Manager at MintResume.

“The biggest compliance-related mistake companies are making when it comes to application security monitoring is to…”

Think of it as just an IT problem, instead of a business problem. They often settle with the minimum allowable securities that will probably do the job but could be stronger. They often assume compliance based on a brief internal review and completion of a questionnaire. Due to this approach, many organizations are led into a false sense of compliance and an increased risk when the inevitable breach occurs.

Bottom line: The set it and forget it compliance approach is the biggest compliance-related mistake companies are making when it comes to application security monitoring.


Anna Andreyeva

@A1QA_testing

Anna Andreyeva is Head of Security TCoE at software testing company a1qa. With dozens of completed projects across BFSI, telecom, media and entertainment, and many other industries and extensive experience in QA, Anna manages a QA team of passionate engineers helping global customers improve software quality.

“We believe that overreliance on automated vulnerability scanning might be the problem affecting software quality…”

Though a scanner is considered a must-have security control tool, now it is not sufficient to prevent critical data leaks. The scanner cannot delve deep into the software-specific issues connected with apps logic. Relying only on test automation tools, you can miss some bottlenecks or can define the ones that are not considered to be bugs at all. The wise combination of manual and automated resources might be an optimal solution to save QA resources and not to let critical vulnerabilities leak to production. Moreover, the implementation of continuous penetration testing can help mitigate security risks and discover complicated security attacks.


Lecio De Paula

@KnowBe4

Lecio De Paula is the Data Privacy Director at KnowBe4.

“The biggest compliance-related mistakes that companies are making right now in regard to application security monitoring is…”

Not actively monitoring and securing their cloud apps. As the majority of apps are moving to the cloud, it’s becoming increasingly important for companies to ensure they understand the implications of migrating to the cloud. Some of the data breaches we see in the news currently are coming from cloud misconfigurations. We can see that just recently, 750,000 applications for birth certificates have been exposed due to a simple cloud misconfiguration. We are not going to see a slow-down in data breaches until companies realize that they have to consistently audit, monitor, and set standards for their cloud configurations. It’s one thing to perform a web app scan to find vulnerabilities, and it’s another to run cloud audits to ensure certain pieces are configured correctly and comply with applicable regulations.


Peter Wilfahrt

Peter Wilfahrt is a German author, entrepreneur, self-proclaimed digital native. He is also notable in the IT security industry and has been active there for over 15 years in addition to being a co-founder of various start-up companies.

“Logging is often the biggest compliance-related mistake…”

We’ve seen developers who (with the best intentions) captured all inputs to the console and were bypassing security controls by sending cleartext credentials to a central monitoring service.


Doug Barbin

@schellmanco

Doug Barbin is the Principal and Cybersecurity and Emerging Technologies Practice Leader of Schellman & Company, LLC, a global independent security and privacy compliance assessor.

“The biggest compliance mistake related to application security monitoring is…”

Not incorporating it into overall change control – or missing change control’s intent overall. In today’s world, applications are updated daily, if not more frequently. While this is reality, unfortunately many utilize Agile or DevOps methodologies to justify sloppy change management.

Three related pitfalls are:

  1. Ignoring a significant change. By increasing the frequency, many organizations state a change is not significant and forego extensive testing and change approval.
  2. When testing is minimized, key threat scenarios are skipped and over-reliance is placed on scanning tools and/or web application firewalls.
  3. This leads to ineffective monitoring. Signature-based approaches do not work for applications. Application security monitoring requires profiling of usual activity in a manner that deviations can be identified. A critical part of change control is re-running and reviewing that baseline and fine-tuning the detection algorithms. And yes – even AI requires tuning.

Kenny Trinh

@netbook_news

Kenny Trinh is the Managing Editor of Netbooknews.

“The biggest compliance-related mistakes companies are making when it comes to application security monitoring are…”

  1. Weak passwords and poor password management.

No matter what steps you take, if you use weak passwords, you compromise your security. Reusing passwords, sharing passwords, or using a master password are the three most common yet devastating mistakes when it comes to password management. Avoid these at all costs. To secure your data online, you need to have strong, unique passwords. A strong password primarily must be above 12 characters and include numbers, symbols, capital letters, and lowercase letters. Use a password manager to securely store all your unique passwords. It is also recommended to use multi-factor authentication to add another layer of security.

  1. Outdated software.

It’s always recommended to update application software as updates contain critical security patches. By not updating the software regularly, you are inviting cyberattacks from hackers and criminals who continuously snoop around for loopholes on your security. Refrain from using components that are known to have vulnerabilities, such as unpatched third-party software, outdated plug-ins, open-source components, etc., as they can also make the website susceptible to attacks. Regular cleaning of old and wanted files, applications, databases, etc. is also ideal, as leaving them out can create portals for attackers.


Ian Brady

@Steadfast_AU

Ian Brady is the managing director of Australian MSP Steadfast Solutions. Steadfast Solutions provides IT Security and Compliance to a range of industries, from architecture firms to wholesale companies.

“We are seeing a lot of software vendors trying to move to…”

A SaaS/HaaS model while simultaneously trying to re-utilize their existing software’s architecture. For example, older style applications are being deployed through direct remote desktop services; some even use remote desktop directly. This is a large vulnerability. More often than not, these software vendors normally provide little to no information to their clients regarding their disaster recovery and redundancy systems. The general phrase given is, “We have them.”


Don Baham

@krafttechgroup

Don Baham is the President of Kraft Technology Group, LLC.

“One of the many challenges facing organizations attempting to provide secure applications to their customers and employees is…”

Simultaneously balancing security controls with the compliance requirements of laws such as GDPR and CCPA.

One of the requirements for GDPR is to adhere to the “secure by design and default” methodology. On the surface, this sounds logical and reasonable. However, this also means organizations need to process personal data in a way that can’t be attributed to a specific person such as an “online identifier.”

With CCPA, one of the definitions for personal data that organizations need to keep private is “Internet or other electronic network activity information,” yet that information is critical to log in an application security monitoring solution. Organizations need to make sure they have the ability to log actionable security event information while not violating newer data privacy regulations.


Tim Uittenbroek

@VPNMash

Tim Uittenbroek is the Founder of VPNMash.com. He is a serial entrepreneur who since getting out of the “rat race” in late 2015 has built multiple seven figure online businesses. His greatest passion is experiencing the feeling of taking an idea from its infant stage and turning it into a profitable business.

“Compliance basically refers to a state of the application in which it meets with specific standards and regulations…”

These standards can be GDPR or PCI DSS related, but meeting these standards does not necessarily ensure that your application will remain secure. To maximize the protection along with security compliance, you need to include information security vulnerability testing, continuous assessment, and remediations. You should incorporate complete lifecycle management services for database security. Relying merely on security compliance might put your company’s data at risk.


Aviram Jenik

@aviramj

Aviram Jenik is the CEO of Beyond Security. Aviram has 17 years of experience in the Computer Security field. From the early days of computer viruses, he was interested and involved in the fields of encryption and security vulnerabilities detection and research. He worked as a programmer, team leader, and project manager in several startups before co-founding Beyond Security in 1999.

“One of the biggest compliance-related mistakes companies make when it comes to application security monitoring is…”

Looking only at the extremes. For many companies, application security monitoring means either drinking from the fire hose, monitoring everything, or giving up and connecting the proverbial printer directly to the paper shredder, ignoring everything. Neither approach is correct. Even though most compliance mandates are very general when it comes to application monitoring, the actual monitoring should be practical. (i.e. You should know what you are monitoring and why, and actually look at the results in a way that is actionable.) This not only fulfills the compliance need in the proper way but also adds a valuable security tool to your toolbox.


Victor Fredung

@FredungVictor

As a seasoned fintech innovator, Victor has multiple years of experience in the payment sector. He is currently CEO of Shufti Pro, an AI-based verification service provider that focuses on providing reliable and smooth customer onboarding services to businesses worldwide.

“One glaring mistake that I can point out is the…”

Failure to automate compliance procedures and detection of non-compliance events. Not only does this ensure that regulatory requirements are addressed fully, but streamlining solutions provide better data analysis and reduce manual efforts by 50 percent. In the long run, it translates into business productivity and millions of dollars saved in operational benefits. Delayed risk identification may lead to large scale security breaches and lost cybersecurity investments.


Chad Hill

Chad Hill is the CMO of Hill & Ponton, a national law firm that helps disabled veterans get the right compensation for injuries that happened while serving in the military.

“One of the biggest compliance-related mistakes companies make when it comes to application security monitoring is…”

Not knowing that there are local, state, federal AND international laws that can apply when it comes to compliance for application security monitoring. You may be complying on a local level, but if you’re missing something on a national level, you can still be audited and fined.


Will Ellis

@PrivacyAUS

Will Ellis is an IT security consultant and founded Privacy Australia in an effort to help everyday people protect their privacy and data. He also invests in cryptocurrencies and studies history.

“A big mistake that a lot of companies make when it comes to application security monitoring is…”

Regulating the amount of data which is being directed from one point to the other. If monitored too much, you can lose useful data, and in contrast, not monitoring enough can cause threats to find their way into your system more easily. It’s important to find a midpoint which allows you to stay secure and manage the flow of data correctly, while still getting visibility on enough valuable data. In addition, I feel that companies need to take alternate security measures in conjunction with their ASM systems. Anti-ransomware or anti-malware protection is a great example of this, as it not only allows for a further layer of protection, but also allows for real-time updates which notify you of issues which may not have been caught as quickly with many ASM systems.