The broad transition to cloud-native architecture requires new technology related to unwanted attack vectors and vulnerabilities that reside in application code. At the same time, the proliferation of security roles within organizations raises awareness, but also places a greater burden on stakeholders.
To address these security challenges, there are new tools that provide a comprehensive response within a single platform. Why are these tools necessary and how is the platform different from legacy technology?
Organizations around the world have adopted advanced cloud architectures in recent years. They have moved from monolithic application development to a series of microservices that run inside containers in the cloud and are distributed across multiple layers. Modern architecture has become increasingly useful and provides significant advantages for designing, building, and deploying cloud applications.
IDC Research says that “by 2023, more than 500 million applications will be developed using cloud-native approaches.” The use of containers is on the rise. Gartner estimates that “90% of global organizations will run containerized applications in production by 2026, up from 40% in 2021. Additionally, by 2026, 20% of all enterprise applications will run in containers, up from less than 10% in 2020.”
Cloud-native architecture enables your business to unleash the full potential of your applications, giving them flexibility in response to internal and external demands. And as companies become more digitally focused and take related transformation initiatives, it makes sense to shift development to microservices and containerization, especially considering application modernization requirements.
That said, development within an advanced cloud-native environment requires new security technology. The latter must fully address potential attack vectors as well as weaknesses in the developers’ code. Given this, two questions to consider are: who is in charge of securing developers’ code, and what are the right tools to use?
Who is in charge of security?
In the past, application developers and infrastructure staff worked in separate areas. The combat between the two was too common. Today that limit is blurred, with the work shared between the various stakeholders. With regard to security, this is known as “shifting to the left; namely, move security testing efforts earlier, from operations to development.
This emerging approach places a greater security responsibility on developers. It evolved when companies realized that code could no longer wait to run in a production environment before being tested for weaknesses. Rather, it is much more efficient to test it earlier during development.
The multiplicity of security roles is another aspect of this process. AppSec, DevSecOps, and product security share responsibility for alerting, monitoring, and resolving various threats targeting business applications. These significant changes do not make application development easier for organizations. In today’s more agile development models, where speed and automation rule, developers are under pressure to build and ship apps faster than ever.
Confusing responsibility and transferring additional tasks to developers creates a challenge and adds more complexity. It can potentially slow down development processes instead of helping them move at the accelerated pace desired by business demands.
AN Gitlab Survey 2021 could present surprising answers to the question, “Who owns application security?” He found that most operations professionals did not trust the ability of developers to write secure code. Meanwhile, most developers felt they lacked adequate security guidance. Unsurprisingly, the study found confusion among respondents as to who owns security within the organization. While 33% thought SecOps did, 21% put responsibility on developers, 12% on operations, and the remaining 29% thought everyone owned security.
Actually, everyone is responsible.
With cloud-native applications, analyzing the flow of vulnerabilities between and within microservices is no longer a functional requirement, but instead presents a critical threshold.
Organizations need accurate insights and analytics to 1) respond to security testing across all layers of code at any time, and 2) enable high-quality, productive collaboration between multiple development and security stakeholders.
Therefore, a shift in focus is needed: a method by which everyone can work in a coordinated way to enable deep security processes and distributed ownership. Ideally, developers should plan and implement security while coding applications. This should include Application Security Testing (AST) cycles to find vulnerabilities long before they reach production.
But assessing code vulnerabilities is complex. Cloud-native technology combines multiple layers of code (e.g. cloud, clusters, containers, microservices), so your testing process actually requires multiple teams: security teams, implementation tested development teams, and test teams. DevOps who understand infrastructure.
When looking at how most organizations decide with whom and where cloud-native application security should reside, there are two places where it is typically emphasized. The first is during pre-production/development, where security ownership is firmly in the hands of the developers. The second focuses on security during production or application runtime. Both DevOps and security teams have these stages.
During pre-production, security integration primarily refers to the implementation of AST (Application Security Testing). Such tools partially meet the vulnerability assessment requirement in a two-pronged approach: automatically examining code components prior to application build/distribution, and active testing of code that attempts to break an application from an attacker’s point of view. .
The three AST categories
Dynamic AST (DAST) – Displays results based on external behavior (eg, response to a spoofed attack) rather than examining internal communication vulnerabilities. DAST often returns false negative results due to insufficient coverage and the inability of tools to identify internal application vulnerabilities. They also have difficulty defining weaknesses that originate from internal communications within and between applications.
Static AST (SAST) – Looking for scenarios that point to security breaches, these tools analyze inactive source code. To find vulnerabilities in the application layer, SAST identifies the source function. These tools test each application and its microservices separately, but ignore the context and the big picture. They can show multiple false negative or false positive results due to their inability to evaluate the full context and data flow of the application.
Interactive AST (IAST) – Such a tool combines DAST and SAST techniques to increase accuracy. Providing analysis similar to SAST, IAST examines process behavior within a running application. But for cloud-native applications, these tools don’t take a broad view of communication between layered components. They also require a setup process that includes manual deployment and maintenance for each application component, along with significant development resources.
Multi-layered contextual risk assessment
As described, existing AST solutions require running each tool separately to detect code vulnerabilities in cloud-native applications. They are not always in sync with each other, nor do they know how to cross-reference and use rich data from other code layers in the environment.
Therefore, the evaluation of multilayer distributed code requires a new approach and set of tools. Testing with rich data pulled from the development, cloud, and orchestration layers provides comprehensive results.
Oxeye has launched a new platform to meet this growing need. Advanced testing technology streamlines cloud-native security processes, helping teams that were once isolated in their collaborative effort. It essentially combines all of the AST methodologies with a new generation of security control assessment (SCA) capabilities.
Data enrichment provides the most accurate insights into critical vulnerabilities. By enriching security check findings with data collected from all application components and layers, Oxeye finds and verifies multiple weaknesses within layered code, from the development application to the cloud environment. And for effective and fast mitigation by development teams, the platform provides prioritization and replay steps.
Such context-aware analysis of surrounding components, additional microservices, and various infrastructure layers provides reliable results with infinitely high accuracy. Vulnerability context at each stage of application development helps everyone better understand risks and their materialization. Teams can immediately focus on what’s most important, thus shortening time to remediation.
Written by Dean Agron, CEO and Co-Founder of Oxeye