Q&A: Doug Dooley of Data Theorem Talks Launch of Web Secure, Its Benefits, and Protecting Modern Web Apps

This week, Data Theorem launched its full stack application security analyzer to prevent data breaches across modern web and cloud services – the solution is called Web Secure.

To find out more about the release, its benefits, and what the company has coming next, CloudCow spoke with Doug Dooley, chief operating officer at Data Theorem.

CloudCow:  It has been more than six months since we’ve last spoken.  What has Data Theorem been up to?

Doug Dooley:  Data Theorem continues to accelerate its growth particularly around customer adoption, revenue and profitability. We have also been fortunate to become the top AppSec vendor and partner by spend for several of our customers based on their usage of our product suite covering API, cloud and mobile application security. Our expanded product portfolio started in 2018 is really paying off now.

Data Theorem also achieved availability on Google Cloud Marketplace (GCP Marketplace), delivering to customers our differentiated API security solutions that enable them to uniquely automate continuous API security analysis and vulnerability inspection on Google Cloud.

Over the past six months, the industry has also recognized Data Theorem’s innovation and unique value delivered to customers. Most significant is that we were recognized in the 2020 list of Cool Vendors in the “Cool Vendors in API Strategy” report published by Gartner. Other industry recognitions we received since we last spoke include being named the Most Promising Company in Application Security by Cyber Defense Magazine (an award we won at the RSA Conference), earning the Business Intelligence Group’s 2019 Product of the Year Award, and being recognized as a Trust Award finalist in the Best Mobile Security Solution awards category of the 2020 SC Awards. 

CloudCow:  Tell me about this new solution you are launching to protect modern web apps.

Dooley:  We are launching a product we call Web Secure, the industry’s first full-stack application security analyzer that delivers vulnerability analysis for modern web applications from the web-layer at the top all the way down to its embedded APIs and cloud resources. This means that DevOps and security teams can improve web application security testing for issues that have plagued the industry for years by both identifying and helping remediate potential data breaches in modern web applications, also known as Single-Page Applications (SPAs).

CloudCow:  Why is it so difficult to protect these modern web apps?

Dooley:  These issues are extremely prevalent because most businesses use modern applications such as SPAs to deliver richer web experiences and better outcomes for customers. When building and deploying modern web applications using the latest JavaScript frameworks, web applications are extremely difficult to secure, one reason being that they are constructed like mobile applications with dozens of backend API operations, which by the way has been Data Theorem’s security area of expertise since its founding in 2013.

Modern web applications are increasing cloud-native built on ephemeral infrastructure and microservices that have no persistent concept of operating systems to install security agents nor static network chokepoints to place gateways and firewalls. The security industry has been highly dependent on software security agents and network proxies to provide monitoring overlays for critical applications. These past tools and technique are consistently failing to provide adequate protection and coverage in current web application architectures. Organizations these days are looking for more effective approaches to protect their SPAs built natively in the cloud.

CloudCow:  Aren’t there already solutions out there doing this?

Dooley:  To protect existing modern web applications organizations often turn to a variety of traditional tools, scanners and web crawlers, as well as manual pen testers and consultants – methods which do not keep pace with required Agile software development speed.

The current generation of web security tools in use today are really a different breed than Data Theorem’s Web Secure. These current solutions are poorly suited to address these newer application frameworks, APIs and cloud microservices that are the underpinnings of these modern applications. All we have to do is look at all of the application data breaches over recent years, some of the most well-known being at Capital One, US Postal Service, and First American Financial. Organizations and attackers alike have known about these issues for years, but despite that fact vulnerabilities in modern web applications built in the cloud have been widely unaddressed, due in part to the full-stack nature of the attacks.

CloudCow:  Speaking of current solutions available, didn’t Data Theorem already launch something along these lines last year?

Dooley:  Data Theorem did release its first set of features around SPA protection in September of 2019. This new solution we are now launching builds on that foundation, and provides a number of industry-first capabilities for customers, that I mentioned earlier. As a next-generation release, Web Secure is powered by Data Theorem’s award-winning Analyzer Engine, and introduces a new type of dynamic and run-time analysis that is fully integrated into the CI/CD process to help customers secure their modern web applications.

CloudCow:  What are some of the key benefits organizations can realize with your new Web Secure solution?

Dooley:  Overall, Web Secure enables organizations to conduct continuous, automated security inspection and remediation of their modern web applications. The product provides several new automated hacking security toolkits that help customers understand the impact of vulnerabilities and exploits up and down the application stack, including SPA SQL injection, SPA XSS protection, and Toxic Tokens.

Auto-remediation delivered in our Correct & Protect security toolkit makes it easy for customer to automatically fix problems, such as leaky APIs with sensitive PII data being exposed publicly. Additionally, Correct & Protect can automatically enable authentication on Amazon S3 buckets connected to critical applications exposing data publicly. We have auto-remediation policies for sensitive application messaging queues and private key exposures. Our mission with auto-remediation is to provide “safety rails” for the full-stack of an application so its public data exposure does not occur when it’s clearly against a customer’s policy.

CloudCow:  Can you describe a typical customer for this new solution?

Dooley:  The typical customer is an organization which has web applications from 2015 or later and continues to build them, and is likely creating high-performance SPAs using modern JavaScript frameworks such as React and Angular. Organizations like this have struggled to find automated security analysis and remediation tools for their SPAs. The new Web Secure product is fully automated with no need for outside consultants to make it work. Also, Web Secure was built for SPAs with integration support using common CI/CD tools using the Agile process. Lastly, customers who have used Data Theorem Mobile Secure product over the past five years will feel right at home using this new Web Secure product to protect their SPAs.

CloudCow:  And I can’t let you go without asking, what can we expect to see from Data Theorem during the second half of 2020?

Dooley:  We are excited about some significant partnerships that we have been working for the past year that will help expand our reach globally. Also, there is another major product announcement coming but we will provide more the details when we are closer to a public launch.

CloudCow:  It has been great speaking with you.  Anything you want to add or leave our readers with before we wrap up?

Dooley:  Web Secure helps to round out our AppSec portfolio to protect organizations from data breaches with application security protection for modern web frameworks, API-driven microservices and cloud resources.

Organizations’ frustration has reached an all-time high due to the lack of quality security tools to support these new frameworks. Also, the need for full-stack application security analysis is another gap that we hope to address – and keep it continuous and automated, meaning no consultants and manual pen-testing needed.

With this launch, Data Theorem has broader AppSec coverage with mobile apps, cloud-driven APIs, and now modern web applications.

##