Carsten Huth, Technical Account Manager Team Leader, Checkmarx
Recent years have seen cloud-native become the default for many organisations when it comes to app development. In fact, our recent survey found that over half (59 percent) of developers have seen the amount of app development they’re doing in the cloud increase over the last year.
This shift isn’t surprising given the numerous benefits cloud-native offers, with organisations able to gain value from increased flexibility and scalability, ease of management, faster time-to-market, and lower cost requirements. Despite this, care has to be taken, as behind the benefits sits an intricate and layered attack surface which many organisations don’t understand or adequately secure.
Containers, APIs, infrastructure as code (IaC), microservices, and other cloud-based components all comprise a large portion of these apps – evidenced in a recent report from the Cloud Native Computing Foundation (CNCF), which notes that 84 percent of surveyed organisations now use containers in production. This not only increases their complexity, but also makes them an easy target for cyber criminals looking to exploit them.
So where should organisations begin when looking at how to secure cloud-native applications?
Firstly, to properly secure cloud-native apps, one must understand the discrepancies between ‘traditional’ and cloud-native AppSec.
In general, traditional AppSec is more contained, yet, with cloud-native there are more components and connections interacting and ‘speaking’ to one another behind the scenes. While this makes for more dynamic applications, it also creates an exponentially larger attack surface. For example, cyber criminals can now try to gain access into AWS, Kubernetes or Docker environments, then move on to other interconnected technologies, such as APIs, if they don’t initially succeed.
This presents a challenge for software developers. Not only are they now tasked with learning to build applications in a completely new environment, but they must also evolve the way they test for security vulnerabilities. Where previously it has become common for security to not take precedence in app development, the complexities of cloud-native make it more critical than ever for organisations and developers to prioritise security from the beginning.
Code is ubiquitous
There are a number of specific intricacies which present challenges to securing cloud architectures. Firstly, where security teams used to simply scan their code using application security testing solutions, cloud-native apps require a shift in approach due to their complexity. Given there is code everywhere in these apps to ensure the technology systems can speak to one another, this now means there are configuration files that need to be evaluated.
The two approaches to AppSec
There has always been tension between two approaches in AppSec: “shift left” versus “shift right.” This becomes more realised with cloud-native complexities, with each approach bringing unique advantages and disadvantages.
With the shift left approach to security seeing earlier results in the testing process, it often leads to cheaper and faster remediation cycles. Shift right results come later in the testing process, the benefits of which include a lower percentage of false positives and actionable results.
But what is the ideal approach today? While we are convinced that shift left is important and the shift to the left (i.e. beginning) of the software development process needs to continue, it is also vital that security is embedded in all stages of the software development process including the phases more to the end (e.g. right) of the development process.
With dispersed code comes dispersed security responsibilities
The obligation for security has changed hands. With dispersed code comes dispersed security responsibilities with developers, DevOps and IT teams now needing to shoulder this as a team.
This shared ownership may be complex, but it’s necessary given that it only takes a small mistake for cyber criminals to get a foothold. Positively however, our aforementioned report found that over half (55 percent) of respondents have taken on somewhat or significantly more application security responsibility over the last year.
There is also the fact that cloud-native and IaC – provisioning and configuring an environment through code instead of manually – increasingly come hand in hand, with IaC offering a major opportunity for businesses wanting one single holistic approach to app development.
Best practices in securing cloud-native
As more organisations continue to develop cloud-native applications to advance their digital transformation efforts, there are a few best practices to help overcome some of the challenges facing developers and businesses at large.
These include the following:
- Testing code from the first line. Don’t assume any portion of your code base is intrinsically secure. Whether proprietary or open source, every line must be thoroughly inspected from the onset of development with the objective that any and all vulnerabilities are addressed.
- Ensuring every component is secured. This includes third-party components – such as APIs. A ‘trust and verify’ approach is vital, means organisations trust, but take things a step further by verifying and validating. As malicious actors increasingly zero in on supply chain attacks, both third-party solutions providers and end users must make a more concerted effort to move beyond a mindset of inherent security trust and shift to a ‘validation before implementation’ model.
- Testing the IaC. This has a major influence on the security of applications. Just as you take careful, thorough steps to testing and securing applications, the same approach must be taken when it comes to IaC.
Cloud-native it is here to stay. It’s the future. By addressing the intrinsic challenges head on, whilst following the aforementioned best practices, organisations will be able to benefit from the technology without sacrificing their security.