As engineering becomes a driving force, how must AppSec evolve?
Software engineering is changing, becoming a driving force in business and bringing about big changes in how application security (AppSec) is approached. Complexity is gaining the upper hand, with more development languages, and new types of code security issues — such as vulnerabilities in open-source code components — making it even harder for AppSec to provide an overarching security umbrella for the engineering ecosystem.
Let’s take a look at what this paradigm shift means for the security professionals responsible for keeping applications safe.
Engineering Is Undergoing a Paradigm Shift
Digital business is pushing software engineering to the forefront, bringing on a rapid evolution of the modern engineering ecosystem, which can be characterized by three main elements:
Wide, Highly Dynamic Landscape of Technologies and Frameworks
Imported code libraries, third-party systems, and plugins have enabled engineers to build apps faster and enhance the overall quality of the software that’s delivered. But they also introduce a new level of complexity that perpetuates an ever-changing ecosystem of disparate point solutions, frameworks and systems.
Everything Is Codified
Historically, software development was just about application code, but the lines are now blurred. Everything is codified today, with formerly manual practices, such as policy management and infrastructure provisioning, being transformed into the automated practices of infrastructure as code (IaC) and policy as code, which allows teams to rapidly scale in the cloud and reduce the potential for mistakes due to human error.
The Need for Speed and Agility Is Driving the Use of Automation
The technical barrier for the adoption of engineering technologies, such as Kubernetes, Salt, and Ansible, has diminished. This, combined with the need for increased speed, drives automation and enables organizations of all sizes to accelerate engineering practices and deliver greater customer value.
Increased Complexity Challenges Traditional AppSec
The traditional AppSec challenge — natively embedding secure development practices to prevent security flaws from getting into production — is now more complicated because of the changes taking place in engineering. Culprits for this include:
- The sheer number of development languages, frameworks and technologies used by organizations as cloud native methodologies mature.
- The ease of adopting new technologies, which makes the landscape of languages and frameworks highly dynamic.
- The freedom engineers have to choose engineering technologies and frameworks (a new language/framework can be adopted and productionized within minutes, without any security boundary or need for approval).
- The number of different types of code security issues — such as misconfigurations in IaC files, vulnerabilities in open-source software, and secrets hardcoded in source code — with each language and framework potentially requiring a dedicated solution to effectively detect flaws at an effective signal-to-noise ratio.
New Risks Require a New Focus in AppSec
In recent years, we’ve seen a shift in how attackers infiltrate cloud production environments. From SolarWinds, CodeCov, Travis-CI and CircleCI, it’s clear that bad actors recognize the effectiveness of abusing the CI/CD pipeline. Targeting IaC misconfigurations, vulnerabilities in open-source code components, and exposed credentials, they’ve become proficient in exfiltrating confidential data and running malicious code in production environments.
This attack vector underscores the need to deliver comprehensive visibility and observability across the application lifecycle to optimize security posture against all existing and new risk surfaces.
Four Guiding Principles for Securing the Engineering Ecosystem
As organizations recognize the importance of engineering to business success, the need for speed and agility becomes paramount. As a result, security must shift from the role of blocker to the role of facilitator. To do this, though, security must provide value on four fronts:
- Speed: It’s no longer acceptable for security organizations to restrict the speed of progress with their processes. In the cloud, engineering drives timelines, not the other way around. Security controls and measures must move at the speed of engineering.
- Integrability: To ensure speed, security controls and solutions must be integrated seamlessly into the day-to-day engineering ecosystem, becoming part of the development process.
- Enablement: Security doesn’t have the mandate to restrict usage of specific technologies or frameworks. It must support engineers by enabling their use of whichever technologies and integrations suit their needs.
- Focus: To enable fast-moving engineering teams, an effective signal-to-noise ratio must be in place. Unexploitable risks, or risks that don’t pose high impact threats to the business, must be redacted. AppSec must be armed with highly contextualized risk insights into critical vulnerabilities.
Join Daniel Krivelevich with ActualTech on May 30th where he’ll delve into the state of AppSec and discuss how organizations can better protect their supply chain and CI pipeline. Register today for the webinar, As Cloud Attacks Increasingly Target the Engineering Ecosystem, How Must AppSec Evolve.