Prime pickings: Application security

Share this article:
Prime pickings: Application security
Prime pickings: Application security

Applications provide the juicy data that organizations must protect, says Marcus Prendergast, CSO of ITG. Dan Kaplan reports.

In today's digitally connected world, where most companies' competitive advantage largely is based on how well they interact and serve customers over the internet, Investment Technology Group (ITG) is an anomaly. 

The New York-based brokerage and financial markets technology firm has an attractive-enough internet presence, but the site isn't as highly programmable or littered with forms, fields and interfaces as one is used to finding in cyber space. To the contrary, the highly regulated ITG purposely maintains a limited web footprint, choosing to conduct the brunt of its business behind the corporate firewall.

“We're very much disconnected from the internet,” says Marcus Prendergast, the company's global head of security since 2010. “We don't expose anything unless it's necessary to expose it. It's not as though we have to use the internet to communicate.”

As a result, the 1,100-employee company is able to mostly avoid a major risk that other organizations simply cannot: cyber intrusions designed to pierce through web applications – those front-line attacks, like SQL injection and cross-site scripting, that can lead to a jackpot of customer data. It's become arguably the most preferred vector of attack by hackers, and is believed responsible for many of the headline-grabbing breaches of the past two years, including major personal information heists at Sony and LinkedIn.

But, applications still play a vital role in ITG's business model. It's just that Prendergast is less concerned about the public-facing ones and much more interested in the security of the roughly 55 backend legacy programs, which handle stock orders and provide confidential data to ITG's 700 customers. He says about three percent of all equity trading volume in the United States is conducted via these applications and systems.

Page 1 of 6
Share this article:

Sign up to our newsletters

More in Features

Case study: Big LAN on campus

Case study: Big LAN on campus

A university rolled out a wireless network, but was hampered with a user-support problem...until a solution was found. Greg Masters reports.

2014 Women in IT Security: Stacey Halota

2014 Women in IT Security: Stacey Halota

When she stepped into the job of vice president of information security and privacy at Graham Holdings Company in 2003, Stacey Halota had to carve out new territory because her ...

What's sex got to do with it?

What's sex got to do with it?

Harassment has no place in the security industry. Neither do sexism or discrimination. But, there they are. It's time for infosec to just say no, reports Teri Robinson.