Although vendor-written, this contributed piece does not advocate a position that is particular to the author’s employer and has been edited and approved by Network World editors.
Cloud adoption is a strategic initiative for nearly every company today, but there is still a fair amout of fear, uncertainty and doubt around cloud security, most of it unfounded. In my experience, coding errors and application vulnerabilities are the root of most security problems, regardless of where the data resides. When it comes to cloud, you need to look past the distractions and focus primarily on securing applications.
The main difference between on-premise and cloud security is there is no longer a well-defined security perimeter that can be protected by hardware appliances. Security teams need to move away from hardware-defined approaches to programmatic, software-defined solutions. And it’s worth noting, cloud is not the only driver in this dissipation, the rapid onset of mobile-first is another key contributor.
The role that (poor) application security has played in exposing vulnerabilities is more than just a hunch. Through the work of the Open Web Application Security Project, you can see the historical fact that application security vulnerabilities have been a persistent threat for years. The OWASP Top 10 list of web application vulnerabilities hasn’t substantially changed over the past decade and despite advances in firewall appliances, breaches are happening at an increasingly alarming rate.
Security appliances, by nature, cannot be as adaptive as software solutions due to their perimeter-based approach. Web Application Firewalls (WAFs) have attempted to improve security defenses via layer 7 inspection and policies, but once again, those are static, not dynamic approaches, and can often result in false positives that block legitimate traffic, or worse yet, allow malicious traffic through.
Developers versus defenders
The biggest challenge that organizations face to improving application security in a software-defined world is the rapid spread of DevOps and the emphasis on continuous integration/continuous delivery (CI/CD). And it’s a challenge that seemingly puts developers at odds with the defenders.
Developers will always prioritize velocity over security, so security solutions must allow them to continue to rapidly deliver features and integrate code and application security testing seamlessly into the software development lifecycle. Many also have a historical bias against security teams as they were often either a barrier to deployment, or the group that comes back with a litany of vulnerabilities after deployment, which makes for a challenging environment, and certainly not a collaborative one. Developers only need to be involved if there are vulnerabilities to remediate, otherwise the scanning and testing processes should be implicit to their daily activity.
A large component of the solution to this challenge is the cultural shift that needs to occur, both within development teams as well as within security teams. Developers don’t need to become security experts, but they do need to start recognizing the importance of integrating security best practices into the entire software development life cycle. Defenders need to understand how to first collaborate more effectively with the development teams and how to share those best practices instead of casting blame and having contentious conversations. Empathy needs to be embraced across teams and they all need to share overall security responsibility.
To help achieve this cultural shift, organizations need to place more of an emphasis on the “why” benefits of application security testing. In the past, security teams would often only articulate the “how” portion of testing, and that simply doesn’t resonate with developers who have other priorities. Once developers truly understand the value of the in-line remediation process and the fact that vulnerabilities can be resolved prior to production deployment, they will be much more likely to partner with the security team.
After these cultural issues are addressed, organizations need to put a framework into place that continuously enables security as part of the software development life cycle. That framework should include:
- Building -- Establish secure coding practices and perform regular audits of Open Source components and Third-Party Libraries. Follow the best security practices outlined by the language that you’re coding in.
- Testing -- Leverage technologies such as Static Code Analysis (SAST) and Penetration Testing, as well as programs such as peer code reviews and bug bounties to bring security into the development pipeline.
- Remediating -- Make vulnerability remediation a continuous process, not a periodic event. Keep detailed records of root cause analysis findings to decrease the likelihood of being affected by previous vulnerabilities.
- Risk Management -- Make governance, metrics, and reporting a top priority. Oversight of the entire SDLC will be extremely beneficial over time.
Network security will always be part of an overall security framework, but we need to “shift left” and prioritize thinking about application-centric security as the application stack is the new perimeter. And as more and more organizations adopt DevOps methodologies, the shift in focus to application-centric scanning via automation is realistic, not futuristic.
Kail is co-founder and chief innovation officer of Cybric. He was previously CIO and SVP of infrastructure at Yahoo, and was named one of the “Top 100 Most Social CIOs on Twitter.”