Q&A: Doug Dooley on Data Theorem Evolution, Serverless Technology, Data Privacy, Trends and More

The industry is seeing a rapid rise of new applications built with modern tools.  And in this industry, Data Theorem is a leading provider of modern application security.  The company’s core mission is to analyze and secure any modern application — anytime, anywhere.  We recently had the opportunity to speak with Doug Dooley, Data Theorem’s chief operating officer, where we learned more about the company and their technology, as well as major trends affecting modern apps and security, the growth of serverless and more.

CloudCow:  This is the first time we’ve spoken.  To kick things off, can you give us a brief background on Data Theorem?

Doug Dooley:  Yes, I would be happy to. Data Theorem was founded back in 2013 by Himanshu Dwivedi, who is a 20+ year veteran in the security industry going back to his days as a security researcher at @stake. He is one of the co-founders of iSEC Partners, and is an author of six security hacking books. Data Theorem was founded to analyze and secure any modern application, first starting with mobile applications, APIs, SPAs, and now serverless apps. We started by building our Analyzer Engine which is the industry’s only solution that allowed companies to build safer apps that protected data better by applying dynamic run-time analysis on a continuous basis in search of security flaws and data privacy gaps. Also, we delivered an open-source SDK called TrustKit in 2015, which enables companies to build safer apps that protect data better from SSL Man-in-the-Middle attacks.

Today we are the company that analyzes and secures any modern application – anytime and anywhere – with our advanced AppSec functionality expanding beyond mobile apps. Data Theorem offers the industry’s first automated API discovery and security inspection solution aimed at addressing API security threats introduced by today’s enterprise serverless and microservices applications.

CloudCow:  Why did the company evolve from just securing mobile apps to modern app protection last year?  What did it take to do this?

Dooley:  The industry is seeing a rapid rise of new applications built with modern tools such as Amazon Lambda, Google Cloud Functions and Azure Functions, which allow developers to build applications at scale with less infrastructure complexity and lower costs. However, these new apps often have API services such as mobile SDK access for analysis and information retrieval that enable unintended data loss due to outdated TLS encryption support and lack of proper authentication and authorization policies. These services also allow for rogue APIs to be used without proper enterprise security vetting, called Shadow APIs, that go undetected by traditional security tools such as gateways, proxies, and firewalls.

To do this, we had to deliver a continuous, fully automated analyzer that could discover and inspect APIs on a broad scale no matter where they were created, modified, or published. Our analyzer can discover and inspect APIs that our customers create and use in public clouds, private API gateways, mobile apps, single page apps, microservices, and even serverless applications.  

CloudCow:  How has the evolution been, and have you seen an uptake now that you have expanded your capabilities?  Why do you think that has been?

Dooley:  Yes we have seen significant interest in our new solutions beyond just mobile, now protecting all modern applications. This is because the rate of change for developers with today’s modern applications has accelerated due to automation, agile development processes, and DevOps efficiency. However, organizations are realizing these practices have introduced a new wave of threats unaddressed by today’s security automation tools. Organizations have been looking for new solutions to protect their apps while not slowing down the DevOps process.

CloudCow:  With the growth of APIs, microservices, and serverless apps, what are some of the major security issues for enterprises you are seeing, and how do you help?

Dooley:  There are some interesting challenges with these new APIs. One of them is this concept of Shadow APIs we have been discussing. Because most of these applications are now being built with a microservices architecture, organizations have these smaller, reusable pieces of software that ultimately support an enterprise application built on serverless.

Most of these microservices are interconnected with one another through a communication via API, typically RESTful APIs. Whether these RESTful APIs are viewed as publicly consumable or private, to be used only to interconnect microservice fabric, either way, once it’s on the public cloud it is inherently accessible and available to any attacker or to any potential malicious software. One of the things that’s starting to happen for enterprises is they don’t know what they don’t know on the number of APIs that are being published and consumed by these modern applications using serverless.

This is a new challenge from a discovery perspective, to find all of these Shadow APIs that exist in enterprise environments. That’s one of the new interesting challenges for security when developers are using serverless functions.

Data Theorem’s API Discover and API Inspect are powerful API security tools that together address security concerns such as Shadow APIs, serverless applications, and API gateway cross-check validation by conducting continuous security assessments on API authentication, authorization, encryption, availability, and overall data exfiltration concerns. With API Discover and API Inspect, users can automate API discovery and security inspection seamlessly into their DevOps practices and continuous integration/continuous delivery (CI/CD) processes to protect any modern application, including microservices and serverless apps.

CloudCow:  Many of our readers are busy with virtual containers and Kubernetes orchestration.  However, we’re hearing a lot about the growth of serverless, e.g. Lambda and Cloud Functions, in the public cloud.  With all these big changes happening in virtualization, what are some approaches to securing these environments?

Dooley:  Virtual containers and Kubernetes have been top-of-mind for some DevOps teams, but many developers are designing their applications and new features with Amazon Lambda, Microsoft Azure Functions, and Google Cloud Functions. When developers chose serverless, they are essentially stating three things: (1) we want to write code and see it working as quickly as possible; (2) we don’t want to be bothered with the complexities of servers, databases, and virtual container management; and (3) we don’t want to pay for idle time when our apps are not being used. As a result, the major cloud providers have taken on this burden of infrastructure management on behalf of these app developers by giving them cloud functions.

What the cloud providers have not taken on is making sure developers build applications that adhere to a business’s own security and compliance policies. That is still the responsibility of the security and development teams who build these new cloud-native applications.

To secure these serverless and cloud-native applications, we recommend focusing on your data and how it flows across all of your applications. The most common way data flows and gets breached and stolen by attackers in modern applications (mobile, web, microservices, etc.) is through their APIs. If you have a comprehensive and continuous API security framework that has been automated across your CI/CD workflows, then you are well ahead of most organizations.

CloudCow:  What are some of the data privacy and compliance risks with serverless infrastructure?  Can you share any advice and how can Data Theorem help?

Dooley:  These new function-as-a-service (FaaS) capabilities in the public cloud make it much easier for developers to build modern applications quickly. However, serverless apps are extremely challenging for security teams who attempt to use legacy technologies such as API Gateways and Web Application Firewalls to manage and secure these modern APIs.

API Discover is a continuous automated discovery service that finds new APIs, any changes to known APIs, and other cloud services related to these APIs within customers’ public cloud infrastructure environments such as Amazon Web Services (AWS). These APIs are discovered on a continuous basis by the Data Theorem Analyzer Engine.

API Inspect is a continuous automated security service that finds potential vulnerabilities in the authentication, authorization, and encryption layers of Internet-facing APIs based on their respective definitions and API specification. These APIs are inspected on a continuous basis by the Data Theorem Analyzer Engine. This service provides a policy-based alerting system to help protect customers when problems arise due to changes in an API’s functional operation that differs from its API specification.

CloudCow:  What major trends do you see this year around modern apps and security?

Dooley:  Serverless applications will surpass applications built in virtual containers. In 2017, Docker reached 24 percent adoption while Lambda reached 23.5 percent adoption among AWS customers. Yet, the adoption rate of serverless and cost savings are dramatically better than what virtual containers can offer. Amazon, Google and Microsoft are all pushing serverless because it’s easier and cheaper for their customers. Also, once apps are built using serverless frameworks, there’s potentially a higher switch-over cost to go from one cloud to another. Brand loyalty is something every subscription service is hoping to achieve. Amazon, Google and Microsoft are strengthening their offerings with serverless in the cloud which helps any size business build mobile and modern web apps faster with less overhead.

That being said, and with everything discussed earlier, security within DevOps will still remain an afterthought for most businesses. The practices of Agile and DevOps are being adopted widely among mainstream businesses. The practice of automated Security for DevOps, aka DevSecOps, is almost nowhere to be found. Applications are being updated in production on a weekly and even daily basis, where in the past it would happen only a few times annually. Today the most innovative companies have started to integrate security into their DevOps practices. However, the traditions of most IT security teams remain at odds with successful DevOps teams. As a result, we will have to wait until 2020 and beyond before DevSecOps – automated security integrated into DevOps – is a common practice.

CloudCow:  What can we expect to see from Data Theorem here in 2019?

Dooley:  Our development, support and engineering teams are built out and fairly mature, but we just started building out some of our business functions such as marketing and sales. As we scale out our operations, we will start to reach more customers faster, especially those outside of the US.

CloudCow:  It’s been great speaking with you, anything we missed as we wrap up?

Dooley:  We love giving customers a free test-drive of our Analyzer Engine using their publicly available mobile apps and APIs. These demos are easy for us to do and customers tend to be surprised by what our Analyzer Engine can find on the initial evaluation, without having to give us any information or do any work. We encourage anyone curious to see how the Data Theorem platform works to sign-up for a quick demo https://datatheorem.com/demo to get a test-drive.

##