Jack Mannino, nVisium CEO: Failure to Implement Standard Security Practices, Cause for Most Breaches
Over a decade ago, Jack Mannino took his career into his own hands and decided to move forward on his own; and so nVisium was created. The company focuses on mobile and Web application security, delivering solutions to companies in need.
While building an in-house security department could work for big companies, others prefer to work with nVisium instead, bringing in experts that can see things with a lot more impartiality in order to offer the right advice.
We had a cool chat with Jack Mannino, nVisium CEO, about how the company works, what are some of the biggest threats we face today, how to deal with those threats, and more. Find out everything - read our interview below.
TechNadu: Let's start with you telling us something about nVisium. How did it all start?
Jack Mannino: nVisium started in 2009, in my basement. I was frustrated with where my career was going, and increasingly dissatisfied with the work I was doing. I loved software and application security, but I wasn’t sure if the work I was performing was actually valuable. My wife convinced me to get the ball rolling with organizing the company, and we each took on responsibilities to get started. She handled all back-office aspects, and I built our technical solutions and practice delivery. Thankfully, my wife is incredibly organized and has great attention to detail, so her role gave me the ability to land our first major clients by being the external face of the company. We did not take investor capital out of the gate, and we were fortunate to grow our business over the past decade. nVisium got started out of love for security and succeeded because of a lot of hard work and dedication from incredibly passionate, talented people.
TechNadu: I assume you had a certain vision for what you wanted to create in the beginning. How has that vision shifted over the years, and how has the company morphed to accommodate these changes?
Jack Mannino: When we started nVisium in 2009, we were naïve to the scale of the software security problem and the challenges ahead of us. The cloud and modern software paradigms, such as cloud-native and microservices, have forced us to rethink many existing security practices. We’ve continued to invest in building software and capabilities that allow us to meet the rapidly expanding needs of our clients. This includes developing a cloud-based platform for developer education, where they interact with our engine and receive feedback in real-time as they write secure code. We have re-architected our client and backend dashboards to provide deep visibility into software and cloud security within dynamically changing environments.
TechNadu: What draws companies to nVisium? Why makes them choose your company for their security assessments? Why not do it in-house?
Jack Mannino: Companies work with nVisium because we take a vested interest in enhancing their capabilities for building secure software. We extend an organization’s capabilities through our team’s diverse background in software engineering and security. It is hard for many organizations to recruit and train security engineers with the skills provided by the nVisium team, so we complement their capabilities to enhance and optimize their security initiatives.
TechNadu: What are some of the most common issues you encounter in your assessments?
Jack Mannino: Many of the issues we discover are due to insecure development practices, which lead to software vulnerabilities. As we continue to move towards a code-centric world, through Infrastructure-as-Code and practices such as GitOps, everything is a software problem. As we examine Web, mobile, and IoT products that leverage the cloud, we discover implementation flaws, while utilizing Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings securely. The modern software we build is increasingly distributed and modular, exposing additional surfaces for attack.
TechNadu: Your company provides multiple types of security assessments - for apps, IoT, cloud, mobile tools, networks, and so on. Where do you tend to find the most issues?
Jack Mannino: We tend to find the most issues within organizations beginning a new software security initiative. Whether it’s a new product set to launch with an aggressive release date, or systems that have been developed without security involvement, we typically find the most security debt in less mature environments. As security is continuously built into a system’s architecture through the feedback loop we provide to engineering teams, we see a decrease in existing issues, as well as a reduction in new issues introduced through code.
TechNadu: IoT is generally viewed as a deeply flawed area in terms of security, with a ton of vulnerabilities that are more often than not difficult to fix. What has been your experience with IoT tools assessed by your company?
Jack Mannino: IoT is challenging from a security perspective due to its diverse supply chain and large attack surface. At nVisium, we see issues ranging from extracting unprotected sensitive information from devices to vulnerabilities allowing for command and control against a fleet of devices. With the increase in edge computing and distributed sensor networks, cloud infrastructure and edge devices are an increasingly attractive target. Edge computing uses a hybrid cloud model, where the edge devices and cloud services must establish trust at each layer. Whether your goal is business disruption, stealing sensitive data, or establishing command and control, edge device and cloud infrastructure resources are prized assets to compromise.
TechNadu: How about you, personally? Do you have any IoT devices in your home, and do you take any special precautions to secure them and your other home devices?
Jack Mannino: For a technologist, I have a surprisingly very un-smart home. However, I have kids, and their toys are increasingly sophisticated, utilizing a variety of wireless and networking protocols. At work, I have the luxury of reviewing the products we connect to our enterprise infrastructure and disallowing insecure systems from connecting to our network. Those rules do not apply with children, and the majority of toys weren’t engineered with an emphasis on security. We do our best to isolate these devices to their own networks and limit lateral movement, ensure that automatic updates are applied wherever they are available. One of the major challenges with IoT products is ensuring updates happen in a reliable, secure manner.
TechNadu: What do you believe are some of the biggest threats we face today in terms of cybersecurity?
Jack Mannino: As the physical and digital worlds continue their convergence, we’re at increased risk of disruption for everyday services that we rely on and depend on. We’ve almost become numb to the volume of networks and web applications compromised each year. However, when a medical device or a car is hacked, the risks become a lot more relevant to us as individuals.
TechNadu: What is the best advice you received in your career so far?
Jack Mannino: Embrace everything you do in your career as a learning opportunity, whether it’s doing the things you enjoy or the things you enjoy least. When you begin to feel like you know everything or you’ve mastered your field, you stop learning. Approach everything you do like you have a chip on your shoulder, and don’t be afraid to fail. Failure isn’t fun, but it’s a valuable learning opportunity.
TechNadu: If you could give people one piece of advice to help them protect their data, what would it be?
Jack Mannino: Focus on the fundamentals of security before you attempt to implement elaborate products and practices. While new and flashy vulnerabilities may be interesting to focus on, the reality is that more systems are compromised by failing to implement standard security practices. These include failure to patch systems, not restricting networked services for malicious actors, using weak authentication and identifiers, and not implementing least-privilege access. Build a strong security foundation and repeatable practices to grow from.