Signal Sciences, along with Capsule8 and Obsidian Security, recently hosted the 2nd annual Cloud Native Security Summit (CNSS), bringing together security leaders and practitioners for a day of panels, keynotes, and networking in San Francisco. Representatives from all three companies moderated discussions with security leaders from Intuit, Twitter, Netflix, Dropbox, and Airbnb, who shared their best practices and lessons learned for building applications in an increasingly cloud-native world.
A highlight of the day was the keynote from ESG Research analyst Doug Cahill who presented findings from the research whitepaper Retooling Cybersecurity Programs for the Cloud-first Era. This paper surveyed security professionals on the market trends for building, deploying, and securing applications as organizations move towards more cloud consumption.
The topics ranged from cloud migration to container adoption, but one key topic from Cahill’s presentation focused on the heart of the cloud-native movement: what are the people, process, and technology concerns facing security professionals today?
Let’s take a look at three key challenges Cahill identified for securing cloud native apps and how Signal Sciences can address those concerns.
35% believe that the use of multiple cybersecurity controls increases cost and complexity
In January of this year, a report from Strategic Cyber Ventures stated that venture capital firms invested $5.3 billion into cybersecurity startups in 2018, a 20% increase from 2017. Security is a hot market, and not just for investors: businesses of all sizes need security products to protect their internal assets, customer data, and brand reputation. But when you’re an SMB or a corporate subdivision without the necessary team size or budget, you become skeptical that buying more security products makes you more secure.
Companies that are looking to secure their cloud-native applications need to deploy solutions that work seamlessly within their existing environments and integrate natively with their current tech stack. This reduces the amount of time and resources spent ensuring that everything is working properly.
At Signal Sciences, our customers love that our next-gen WAF and RASP provide complete visibility into their applications without constant code changes, high maintenance costs, or complex deployments. With no regex rules to test or maintain, our value comes from reducing costs and complexity for our customers, many of whom tell us they don’t need a dedicated full-time employee to maintain our solution. Moreover, our continuous upgrades and technology integrations ensure our solution will provide more incremental value over time.
35% are concerned about the lack of understanding of the threats, attack vectors and methods specific to cloud-native applications
A major challenge for security professionals is the idea of the “unknown unknowns,” or the fear that they can’t stop or prevent threats they can’t see. Part of that fear can be attributed to Zero-Day attacks (unpatched software exploits), but visibility into their own networks and applications plays an even bigger role. Many security vendors operate as a “black box” because they do not provide customers the means to drill down or understand why activity was allowed or blocked. Despite giving security software full access to their technology infrastructure and web traffic, companies are often operating blindly when trying to secure cloud-native applications.
This lack of visibility concerns security leaders and practitioners in a few ways:
- It blindly trusts the vendor to make security decisions that can majorly impact their infrastructure, products, or customers.
- Teams become complacent on security activity and direct their focus elsewhere.
- And most importantly, it prevents teams from investigating and learning from attacks on their applications.
Signal Sciences understands that security teams need visibility to operate effectively. Unlike legacy WAF vendors that operate with a “black box” mentality, we surface information in our console and allow users to drill down into how and why we took action with granularity.
33% responded that their application development and DevOps teams do not involve the cybersecurity team due to fear of being slowed down
Despite new tools and frameworks that allow companies to develop software faster than ever before, security plays a crucial but divisive role in the software development life cycle (SDLC). Some companies maintain a “Shift Right” standard and analyze software for vulnerabilities late in the SDLC to keep their development teams running smoothly. Others are adopting the latest trend of “Shifting Left,” or introducing secure coding practices early in the SLDC to reduce code revisions.
Both philosophies are trying to solve the same problem in different ways by ensuring that deploying secure code is an integrated part of the development culture and life cycle. But as the trend of shifting left continues to explode in popularity, especially when building cloud-native applications, how are security vendors helping developers deploy code faster?
At Signal Sciences, we know that legacy security tools weren’t built to protect modern, cloud-native applications. So we developed an application protection solution that puts developers first. Our product operates on any app or infrastructure and integrates seamlessly into your DevOps toolchains, reducing friction and increasing collaboration between security and development teams.
For more insights in to the challenges organizations face going cloud-native, read the ESG Research whitepaper.
*** This is a Security Bloggers Network syndicated blog from Signal Sciences authored by Elizabeth Hurder. Read the original post at: https://www.signalsciences.com/blog/securing-cloud-native-apps-lessons-learned/