Due to the pandemic, security teams are dealing with increasingly distributed environments driven by accelerated cloud adoption. Application security is a multidimensional problem that must be addressed from different angles. First, applications are built-in rapid cycles. Second, complexity increases —an outcome of distributed environments, external components of the software, and integration of external components (open source code for example). Agile development and continuous deployment methodologies have driven high-velocity code release environments, perfect recipes for disastrous security air bubbles, and an increased attack surface despite the best industrial efforts.
According to a Radware’s State of Web Application and API Protection report:
- In approximately 90% of surveyed organizations, security staff is not the primary influencer of application development architecture or the budget. In most cases, they are asked to secure a given information network.
- Only 45% of organizations agree or strongly agree that security is well integrated into their continuous integration/continuous delivery (CI/CD) pipeline.
- 57% are already using containerized applications and require a robust application and data security (in addition to pure container image security and vulnerability scanning). Moreover, it was interesting to learn that a little over half of the respondents do not see how using containers contributes to financial efficiency.
Enterprises require a solution that protects their applications while enabling continuous delivery of code without developer friction. Moreover, the application must be protected continuously at runtime (irrespective of the composition of the code base, be it home-grown, third party, or open-source components). This level of immunity is critical for them to neutralize threats.
It is about Shifting Left
The dynamics of threat propagation require organizations to identify, remediate and prevent vulnerabilities in the early stages as well as post-production. Removing runtime security blind spots early in the production cycle is critical to achieving effective, secure application development. It requires adaptive solution that can be easily orchestrated with no manual intervention. Real. The crucial step in achieving this is collaboration between security and DevOps teams – plan and integrate tools together with security by design approach being mindful of quick release cycles. The coordinated application build and release pipeline strategy is essential to correlate event characteristics, contributing to reducing false positives percentage ahead of time and avoiding potential security blind spots. It is important to note that hackers design and perpetrate coordinated sequences of events against static environments with known vulnerable components. Such organizations get impacted the most. Creation of DevSecOps teams to secure automation of application pipelines go a long way to enable randomization of security perimeters, making it difficult for attackers to identify vulnerabilities.
Hypervigilance at every step of obtaining threat intelligence and incorporating them in the software build pipeline is the answer to near-app protection, meaning eliminating manual interventions (no manual policy changes or configurations).
Lastly, near-application protection facilitates applying positive security model, anomaly detection and behavioral learning which can’t be done using remote protection (at the edge for instance), at least not without creating a lot of noise in the form of high rate of false positives. Therefore, remote app protection delivers partial security by default, compared to near app protection.
Traceability & observability hold the answers to the future of security
The accelerated transition to cloud workloads has increased the need for consistency and hypervigilance across the application lifecycle. It is already an essential cloud-transformation security requirement that removes several impediments in achieving effective application protection. Observability is key to building resilient application workflows and modernize application security, ensuring an organization’s readiness for the cloud.
Precise detection of risks and threats – known and unknown – is possible through pinpointing anomalous behaviors in real-time using positive security methodology. It is quite challenging for legacy users to understand the need for increased monitoring and inline remediation, as traditional IT infrastructure controls were operating on a static security perimeter. Legacy users were not prepared for the agility and speed cloud architectures operate at.
As security has emerged as the top concern for organizations, the need to break the traditional barriers around security being a separate entity is becoming critical. Adopting an integrated DevSecOps strategy with automated observability has shown great potential to help tamper-proof against future unforeseen security disasters.
*** This is a Security Bloggers Network syndicated blog from Radware Blog authored by Radware. Read the original post at: https://blog.radware.com/cloud-security-3/2021/06/how-to-secure-applications-at-scale-from-code-to-cloud/