Mike Kail, chief innovation officer, Cybric, explains why the application stack is the new perimeter organisations need to protect.
Cloud adoption is a strategic initiative for nearly every company today, but there is still a fair amout of fear, uncertainty and doubt around cloud security, most of it unfounded. In my experience, coding errors and application vulnerabilities are the root of most security problems, regardless of where the data resides. When it comes to cloud, you need to look past the distractions and focus primarily on securing applications.
The main difference between on-premise and cloud security is there is no longer a well-defined security perimeter that can be protected by hardware appliances. SThe role that (poor) application security has played in exposing vulnerabilities is more than just a hunch. Through the work of the Open Web Application Security Project, you can see the historical fact that application security vulnerabilities have been a persistent threat for years. The OWASP top 10 list of web application vulnerabilities hasn’t substantially changed over the past decade and despite advances in firewall appliances, breaches are happening at an increasingly alarming rate.
Security appliances, by nature, cannot be as adaptive as software solutions due to their perimeter-based approach. Web Application Firewalls (WAFs) have attempted to improve security defenses via layer 7 inspection and policies, but once again, those are static, not dynamic approaches, and can often result in false positives that block legitimate traffic, or worse yet, allow malicious traffic through.
Developers versus defenders
The biggest challenge that organisations face to improving application security in a software-defined world is the rapid spread of DevOps and the emphasis on continuous integration/continuous delivery (CI/CD). And it’s a challenge that seemingly puts developers at odds with the defenders.
Developers will always prioritise velocity over security, so security solutions must allow them to continue to rapidly deliver features and integrate code and application security testing seamlessly into the software development lifecycle. Many also have a historical bias against security teams as they were often either a barrier to deployment, or the group that comes back with a litany of vulnerabilities after deployment, which makes for a challenging environment, and certainly not a collaborative one. Developers only need to be involved if there are vulnerabilities to remediate, otherwise the scanning and testing processes should be implicit to their daily activity.
A large component of the solution to this challenge is the cultural shift that needs to occur, both within development teams as well as within security teams. Developers don’t need to become security experts, but they do need to start recognising the importance of integrating security best practices into the entire software development life cycle. Defenders need to understand how to first collaborate more effectively with the development teams and how to share those best practices instead of casting blame and having contentious conversations. Empathy needs to be embraced across teams and they all need to share overall security responsibility.
To help achieve this cultural shift, organisations need to place more of an emphasis on the ‘why’ benefits of application security testing. In the past, security teams would often only articulate the ‘how’ portion of testing, and that simply doesn’t resonate with developers who have other priorities. Once developers truly understand the value of the in-line remediation process and the fact that vulnerabilities can be resolved prior to production deployment, they will be much more likely to partner with the security team.
After these cultural issues are addressed, organisations need to put a framework into place that continuously enables security as part of the software development life cycle.