Application Security: Do I need it?
In a recent developer roundtable discussion XQ held on August 17, 2021, our Head of Corporate Development, Kelby Price, and Zero-Trust expert Junaid Islam spoke with a group of senior developers on their thoughts about application security.
Question: What we want to know is are you, as a developer, tasked with security? And how important is security to you?
The following is an excerpt of the conversation asking developers on their thoughts on the importance of applying security into their applications.
Let’s take a look at some of the highlights from our discussion:
Kelby (24:00):
...Security to be embedded into the very fabric of your technology. What we want to know is are you, as a developer, tasked with security? And how important is security to you? Because right now they're very siloed. And what we want to do is enable you as developers to actually not have to pass that software onto a security developer. So we'd love to kind of hear some feedback. I will go around the virtual room from there. We will go on R. Bowers. Would you mind providing your feedback on DevSecOps and whether you think that that's a growing field, and then also in terms of your responsibilities. Historically, developers develop software and pass it off to security. What we're looking to do is enable you to actually manage security from the ground level up.
Ben Hoffman (24:56):
Yeah. I have to basically provide audit and logging to a security team so they basically want you to see files that they have to be able to scoop up, or I have to send them into their system.
Kelby (25:10):
So, that is really interesting. So audit is something that you are tasked with, at least enabling the network, so that you can pull all that information. [inaudible 00:25:22], would you mind speaking a little bit about one of the really big value props of XQ? Because we split every data packet into smaller packets, every time that data, anything happens to it, it's logged. And so from a compliance and audit perspective, we really are providing a lot of value to various different regulatory bodies and auditing bodies. [inaudible 00:25:47], could you speak a little bit more about that?
Junaid (25:49):
Yeah. If you saw Brian flip through his screens, you may have missed it, but one of the things he showed was that every transaction is logged from a zero trust perspective. So, zero trust is a very specific logging model. It's NIST 800, I think it's 171, which says you have to show where's the data encrypted, who did the encryption, where's the data gone, how many attempts were there to unlock the data. So, that is the zero trust model. And it's a little bit different than the standard kind of logging that you get with Splunk. So, XQ has integrated that into the engine itself so that you can't actually do something without it being logged. So, instead of like doing things and then worrying about it being logged, and is it logged or not, it's kind of fully integrated in.
Junaid (26:49):
So, one of the goals in developing a zero trust stack is to actually simplify the compliance part. So that is, no matter what you're doing, whether it's an accounting program or a smart energy, even if you don't need the compliance level logging, that is actually built into zero trust. So, one of the things we're trying to do, and again, it's a developer concept, is to stay... We're not just trying to catch up with the people who make boxes. My software, whatever my software is, whether it's an accounting software or video software or space communication software, it's got the full stack of features to support regulations and compliance built in, right? It's this notion: security is built in or secure by design, not just the cryptography, but the compliance. And that's the kind of thing.
Junaid (27:48):
So, one of the things we're looking for, as we work with developers, and as Brian showed, all our tools are execute tools that are online for free. So I'd encourage, after this call, for you to poke around. And the idea is that we'd be having another one of these calls in a little while, and hopefully if the group wants, they can be on a regular basis, where things you like, and more importantly, things you don't like, you share with everybody. And then we just get better and better as a team, and we just make your trust more integrated.
For general information, head over to our website:
XQ’s Github:
https://github.com/XQ-Message-Inc
XQ's Zero-Trust Data protection:
For developers, access our developer portal on our website:
https://xqmsg.co/developer-portal
XQ’s API Platform:
https://xqmsg.co/dashboard-api
To speak with a representative for more information about XQ, contact us at: Support@xqmsg.com