Today’s world is becoming increasingly digital, and the COVID-19 pandemic has only accelerated that trend. To keep up with the growing demand for digital innovation, more organizations are making the move to cloud-native application architectures, built on microservices, containers and platforms like Kubernetes, for the agility they provide. They’re also adopting more agile approaches to software delivery, like DevSecOps.
However, the advantages of these approaches are not without their risks. The dynamic nature of container-based, cloud-native environments and the need to keep up with the speed of agile development makes spotting and managing application security vulnerabilities much harder, with alerts and false positives besieging teams. So, how can organizations embrace these approaches and ensure their applications remain secure?
The Architecture That Never Sleeps
In cloud-native environments, change is the only constant. Well over half (61%) of organizations say their environment changes once every minute or less, and nearly a third say it changes at least once per second. This is because microservices are constantly bursting into and out of life, with infrastructure spinning up to support them in real-time, as customers and employees interact with digital services.
Whilst this makes running applications more efficient, it also poses a challenge for security teams. The ever-changing nature of dynamic architectures means that organizations are being exposed to thousands of vulnerabilities that continue to proliferate every minute. In addition, the dynamic nature of today’s environments means that the dependencies of vulnerable components also change constantly, which makes manual impact assessment impossible.
This can have serious consequences. The 2017 Equifax breach, in which the personal data of millions of individuals was stolen, happened because hackers were able to exploit a widely known vulnerability from the Apache Struts library. This vulnerability still exists in countless web applications globally, but the growing move to cloud-native architectures will make it increasingly difficult to identify.
Modernizing Security Approaches
The problem is traditional approaches to vulnerability management only offer a static view at a single moment in time, making them prone to blind spots in dynamic environments. Not only do scanners often miss what is running in production, but they also create vast quantities of alerts and false positives on every possible vulnerability they detect, lacking the ability to differentiate between a potential vulnerability and an exposure. The sheer number of alerts leaves organizations unable to gauge their level of exposure, making the overall risk uncertain.
To overcome this, organizations need a new approach to application security that allows them to spot exposures as they arise. To enable this, organizations should establish continuous observability across their cloud environment to eliminate any blind spots. Combining this with AI can provide precise answers about the source, nature, and severity of detected vulnerabilities, in as near to real time as possible. This intelligence can be used to power automated runtime application self-protection (RASP) capabilities, helping organizations automatically detect, assess and manage application vulnerabilities in real-time.
Additional Pressure on Developers
In addition to dynamic application architectures, agile approaches to software delivery and orchestration are also creating challenges. While innovation is accelerated, DevSecOps approaches also shift responsibility “left” to developers to ensure their code exposes no exploitable vulnerabilities. Time-poor developers simply don’t have time to manually scan for vulnerabilities, and are often overwhelmed with alerts, many of which are low priority or false positives. Without the context of how each vulnerability impacts the wider cloud-native ecosystem and which applications and data it puts at risk, it’s difficult for DevSecOps to prioritize actions to drive faster, more secure release cycles. As such, and often despite multiple security tools, even the most common vulnerabilities can remain undetected for hackers to exploit.
Observability, AI and automation also provide a solution to this dilemma, enabling DevSecOps teams to continuously analyse their entire cloud-native environment – including applications, libraries and code – to identify any changes, prioritize alerts, and eliminate false positives. With this AI-assistance, developers can understand the source and nature of application security vulnerabilities, as well as how severe they are – allowing them to manage their time far more effectively. This approach also enables DevSecOps teams to identify post-deployment attack vectors, allowing them to shore up the defenses of applications running in production to protect against new vulnerabilities as they emerge.
Securing the Cloud Native Future
The key to securing cloud native applications is to ensure that the approaches used to secure them are just as dynamic as the environment they are deployed in and methodologies they are built with. Application architectures and software delivery are only going to move faster as we continue down the digital road. Instead of playing catch up in the future, organizations should lay the groundwork now by adopting an application security strategy that can keep pace with transforming architectures and development methods. This means combining the solutions and processes needed to modernize approaches to application security, support DevSecOps teams effectively, and get the most from cloud-native environments and agile delivery.