As the cloud environment reaches maturity, it is increasingly becoming a security target. When it comes to cloud, security experts will need to decide who they can trust.
Next year, if they haven’t done so already, companies will need to develop security guidelines for private and public cloud use and use a cloud decision model to apply rigor to cloud risks. A key component of those guidelines will be how to protect applications in the cloud.
We at ShiftLeft would like to offer three cloud security predictions for 2018:
1) Serverless computing will become mainstream.
Serverless computing is becoming the preferred way to deploy new applications. Cloud-native architecture breaks down applications into multiple stateless and elastic micro-services architected around small serverless functions. The beauty of micro-services is that they can shrink or grow depending on demand. According to data from 451 Research, more than one-third of enterprises are using serverless technology in some form.
Most organizations operate in a hybrid cloud environment. Security will have to adapt to this new reality because it is being driven by business need — to be able to get to market faster, respond to market needs faster, and innovate faster. Security cannot change the behavior of innovation; they can only adapt.
With serverless computing, you assemble more of your code rather than creating it from scratch. No two applications are going to have the same code base. This will only compound the security challenges. Speed and specificity are crucial to application security.
There are four key security areas to look out for when it comes to serverless applications: flow of data, code quality, monitoring production, and choice of application programming interfaces. It is up to the application owner to make sure a security solution is put in place that can adequately address each of these areas.
2) 2018 will be the year of DevSecOps, as security teams rely on automation of security in the application development lifecycle.
More and more applications will be compromised through vulnerabilities in open source code and third party software. In addition, application development speed means traditional manual security testing approaches will not be able to keep up. At this pace of change, CVE matching techniques are becoming irrelevant.
The DevSecOps model can provide the automation of security to keep up with these changes and stay ahead of zero-day vulnerabilities. The philosophy of DevSecOps is that “everyone is responsible for security” so security is built into the continuous integration and continuous delivery process.
3) Continuous improvement in security will come together for the first time.
Code analysis and runtime protection have been traditionally siloed in organizations because they were never meant to be connected. With the software-as-a-service (SaaS) model, continuous improvement in security will become a reality.
No two applications work in the same way; they use open source software differently resulting in a different security threat profile. Unfortunately, security teams continue to protect applications with off-the-shelf security products that either create lots of false positives or provide runtime protection that adds significant overhead to the application. Generic security solutions have signatures for threats and vulnerabilities for hundreds of applications, operating systems, and network elements, which defeats the promise of cloud environments.
For SaaS applications, vendors provide state-of-the art robust infrastructure-level security. In such scenarios, the exposed attack surfaces are the applications and vulnerabilities from open source software used while developing them.
There is no doubt that next year applications will become the epicenter of cloud security. Companies will have to own the security and protection of their applications, not the security of their operating systems, infrastructure, or network.
With the ShiftLeft platform, security does not mean loss of agility and speed. In fact, with the cloud it means just the opposite. Continuous improvement of application code by shifting security left in the development lifecycle will be key in 2018.
This is a Security Bloggers Network syndicated blog post authored by Priya Chawla. Read the original post at: ShiftLeft Blog - Medium