A Surgical Approach to Software Security: Protecting Software from the Inside Out

Written by

The pace of software innovation and the resulting amount of new software being introduced is mind-boggling when you look at its potential impact for today’s businesses. Consider, for example, the numbers associated with the cloud-based Software as a Service (SaaS) space. According to a recent Gartner report, the SaaS segment will likely hit $34 billion in 2017 and is projected to more than double to almost $76 billion by 2020 as software vendors continue to shift their business models from on-premises licensed software to public cloud offerings.

We have cloud computing to thank for driving this software innovation explosion. The combination of cloud computing and virtualization makes it easy for agile development teams to deploy multiple development, test and production environments quickly. This not only eliminates the need to purchase additional physical servers for development and staging, but it also does away with long delays as DevOps teams wait for IT to spin up and provision servers. 

For businesses, especially startups, the rise of cloud computing has proven to be beneficial in several ways by giving them the ability to: 

  • Innovate faster and with far less capital than was required in the past, increasing both productivity and efficiency,
  • Create a competitive advantage by giving business fast-mover advantage when it comes to meeting customer expectations for improved services and products, and
  • Realize market success more quickly by meeting growth objectives, gaining market share and adding new revenue streams.

The Downside: Increased Security Risk
Unfortunately, as the speed of innovation increases and the amount of software swells, so does the opportunity for security vulnerabilities. One reason for increased software errors is simply human error. As business pressure intensifies on developers to work faster, the potential for more mistakes follows.

Another reason is related to how software today is developed. The need for speed along with tight budgets means that applications are often assembled from open source software (OSS) rather than from proprietary code that has undergone an in-house process for discovering and fixing any potentially serious flaws. While OSS may be more secure in many ways, the context of how we use it can create security problems, such as when an app developer uses a library of code in a way not originally intended by the OSS developer. 

Outside-In: An Inadequate Solution to Software Security
Most software security solutions today take a defensive approach in which they attempt to protect software from external threats that leverage known and unknown vulnerabilities. This “outside-in” strategy includes traditional, off-the-shelf tools that customers purchase and fine-tune for their specific environments. The tuning is accomplished by reducing the signatures that such solutions use. Although some newer solutions are an improvement over traditional off-the-shelf options in that they try to automatically understand some aspects of a customer’s infrastructure, they still fall short because of their threat focus.

The problem with any threat-based approach to software security is that it is incapable of pinpointing and safeguarding an organization from all the potential – and often unknown – hazards that could cause problems. They are called “unknown” for a reason, i.e., they are not yet known and therefore one cannot write a signature for it.

Some newer tools are doing a better job at detecting for categories of threats, but if a new category emerges, we get back to being reactive. Because developers of security tools don’t have crystal balls to know what’s coming next, defensive-focused solutions cannot possibly detect new threats in a timely manner. 

We also cannot overlook the cost of outside-in methodologies. In their attempt to protect themselves from all possible security problems, organizations are often compelled to purchase multiple products. Add in the expense of personnel needed to continuously tune those products as well as react to alerts, and the ongoing cost of inadequate software security can quickly skyrocket.  

Inside-Out: A Proactive Approach to Software Security
Any doctor will tell you that the best strategy for eliminating pain is to first diagnose the source of the pain and then treat that specific ailment with a targeted treatment. This same approach – an “inside-out” approach – must be used to protect software. In other words, the “diagnosis” should inform the solution.

What this means is that rather than crossing their fingers for good luck and counting on generic, all-purpose solutions to hopefully identify and deflect threats, DevOps and the security teams must start thinking in terms of security that is specifically built for their software workloads, unique for each version of each ’microservice’. 

This is accomplished by proactively analyzing software in a way that identifies the entire execution space of the workload as well as any mistakes, weaknesses and vulnerabilities in it - called Security DNA. A security agent is then created armed with this information to protect the specific workload in production. This approach makes for a very precise solution that is also extremely lightweight and high performant. 

Developers can also be given the details of the Security DNA so that they can fix important issues. A proactive inside-out method such as this allows companies to focus on protecting their software workloads against their inherent weaknesses instead of wasting money and effort protecting against dozens and dozens of possible threats, some of which they may never see.

The Time Has Come to Go Offensive
As data leaks, ransomware and other cyber-attack incidents surge in an exponentially expanding software ecosystem that has seen a monumental shift to cloud computing, the time has come to move from a defensive to an offensive stance when it comes to software security.

Instead of relying on an assortment of generic options and hoping that one of them will thwart any future problems, we must focus on a preemptive diagnosis and cure designed to eliminate the opportunity for problems both today and in the future. Eventually, we have to make our software better. In the interim, we can protect it against its very weaknesses.

Doing so will decrease the costs associated with the purchase of generic, all-purpose software protection solutions. Taking a targeted offensive approach also will reduce the need for more people to manage these mediocre solutions and the associated false-positive alerts.

Most importantly, however, the inside-out approach is simply more accurate. It is more logical and gives an opportunity to rethink security, by giving companies that rely on their software a much better chance of avoiding the financial losses and reputation damage that come from security breaches.

What’s hot on Infosecurity Magazine?