AUTHOR Q&A: New book, ‘Hackable,’ suggests app security is the key to securing business networks

The cybersecurity operational risks businesses face today are daunting, to say the least.

Related: Embedding security into DevOps.

Edge-less networks and cloud-supplied infrastructure bring many benefits, to be sure. But they also introduce unprecedented exposures – fresh attack vectors that skilled and motivated threat actors are taking full advantage of.

Adopting and nurturing a security culture is vital for all businesses. But where to start? Ted Harrington’s new book Hackable: How To Do Application Security Right argues for making application security a focal point, while laying out a practical framework that covers many of the fundamental bases.

Harrington is an executive partner at Independent Security Evaluators (ISE), a company of ethical hackers known for hacking cars, medical devices and password managers. He told me he wrote Hackable to inform folks oblivious to the importance of securing apps, even as corporate and consumer reliance on apps deepens.

Here are excerpts of an exchange Last Watchdog had with Harrington about his new book, edited for clarity and length:

LW: Why is it smart for companies to make addressing app security a focal point?

Harrington: Software runs the world. Application security is the soft underbelly to almost all security domains, from network security to social engineering and everything in between. Yet, application security is a misunderstood field, and is plagued by false promises that it can be done easy, quick and cheap — primarily through automated tools. Alas, none of that is true. By focusing on appsec, companies will be able to understand risk, reduce it, and convert their investment into a competitive advantage.

LW: What are a few other top security domains that deserve high priority; and how do they intersect with app security?

Harrington: Two other big, concerning domains are vendor security management and cloud security. Both of these fall under the umbrella of supply chain. Let’s use ice cream as a metaphor. Let’s say you care about eating organic; this is what governs your grocery shopping list, the questions you ask at restaurants, and even your budget.

Well, how do you know if the company you buy your organic ice cream from is actually making it consistent with the principles of being organic? What if they don’t realize they’re doing it wrong, or worse yet, what if they’re lying to you? Now replace ice cream with security, and that’s what most companies are struggling with when it comes to managing the risk introduced by their vendors.

Cloud security is like the vanilla ice cream that is the base of your hot fudge sundae. That’s like the cloud platform, such as Amazon Web Services, Google Cloud Platform, or Microsoft Azure. Each of these promise to deliver you certain parameters of a secure platform. But it’s just the baseline.

What you build on top is entirely up to you. AWS, GCP, and Azure promise to deliver a secure platform, but don’t promise that just by using them you’ll be secure. That’s up to the company building on top of them. However, many companies — especially smaller startups — assume they’re secure just because they’re using these providers.

Along with app security, you have to do vendor risk-management, which includes managing the risk introduced by all of the apps that a given company licenses or subscribes to. And you also need to ensure that the applications your organization use that leverage cloud services do so in a secure manner

LW: Work, school and home digital environments shifted dramatically in 2020. Can you characterize how this has added urgency for companies to get app security right?

Harrington: This was one of the silver linings of the pandemic, for two reasons. First, it forced companies to accelerate adoption of remote working solutions. It forced them to think about their own threat model, and how to adapt to change. Second, it forced security into the consciousness of every employee across the company. They really started to understand why it matters and how it impacts them.

LW: What’s the biggest myth your run into about app security?

Harrington: There are tons of them. Security is a business issue and leadership issue, not just a technical issue. Let’s focus on the business justification. This is what currently blocks companies from getting security right, and is also where there is enormous opportunity for those who can figure this out.

Most companies view security as a tax. They see it as a cost to minimize. They don’t know how to prove success in security. And they often see it as a box-checking exercise. Instead, companies should recognize that security delivers a competitive advantage.

LW: That makes sense, but that kind of messaging rarely comes through in the marketing of cybersecurity solutions.

Harrington: Companies that license or subscribe to software products want those products to be secure. Yet most companies selling software products struggle to get security right, and even those who do get it right struggle to prove it.

So, almost all buyers want X, and yet almost no one can give them X. If your company can deliver X, it is enormously differentiating. It puts you in the small group who can give the customer what they want.

X is doing security right, and then being able to prove it. When you can do those things, you obtain a competitive advantage that helps you win sales, faster.

LW: Doing anything right is never easy. Moving forward, what’s going to compel companies to embrace the best practices you’ve outlined in Hackable?


Harrington: You nailed it, the right way is often the hard way. My goal with Hackable was to help people solve problems I knew how to solve, especially given that the conventional approaches to those problems tend to be backwards. Hopefully, by aligning those solutions to the business justification this will help companies obtain the support they need to get this done the right way.

In addition, the security community will continue to advocate for ideas like these. Eventually, the message will resonate at scale. Right now, only progressive companies are capitalizing on security as a competitive advantage. But given that it is such a compelling advantage, others will follow suit eventually, once they realize how bad they’re missing out.

After all, security isn’t just the right thing to do; it also makes sound business sense.  The combination of those factors is what will compel people to eventually do security right.

LW: Anything else?

Harrington: I’d just note that security can feel complex, overwhelming and probably way too expensive. It might not even be your whole job! Acknowledge and accept those feelings, but also feel this: you’re not alone.

What’s the best way to remedy that unpleasant sensation? Just get started. Start by striving to get better every day, and then get yourself a security expert to help you. If they’re the right partner, the rest will fall into place.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: