Guest post from Deepfactor

Because many organizations initially focus on the mechanism through which application code and infrastructure is scanned and analyzed for security insights, the result is often an anti-pattern, where a complex set of overlapping and loosely-integrated tools spanning development and production actually impedes engineering teams from addressing security issues during development. And because traditional security tools were built for static environments, they are less than effective given the dynamic and rapidly evolving nature of cloud native application development.

Anti-pattern: "an ineffective solution for a problem." McKinsey Digital

For that reason, we’re partnered with DZone and author Samir Bewhara, a Senior Cloud Infrastructure Architect at Amazon Web Services, for a new whitepaper. Cloud-Native Application Security: Patterns and Anti-Patterns explores the critical challenges of cloud native application security; demonstrates how to build security into the CI/CD pipeline; reviews the importance of the OWASP Cloud Native Application Security Top 10; and introduces the core patterns and anti-patterns of cloud native security.

Though cloud native architecture enables organizations to build and run scalable and dynamic applications, it’s not without challenges. According to the Cloud Security Alliance (CSA), 70% of security professionals and engineering teams struggle to “shift left,” with many unable to recognize the formation of anti-patterns and understand/appreciate the wider impact to development, cost, governance, culture, etc.

However, before reviewing the anti-patterns reviewed in the whitepaper, there’s value in having a deeper understanding of the various industry trends, challenges and “call-to-actions,” influencing the implementation of security throughout the development of cloud native applications.

Recognizing the Paradigm Shift

As discussed in our breakdown of the CNCF Annual Report, 55% of respondents released code weekly or more frequently, with 18% releasing code multiple times per day. The continued adoption and implementation of microservices increasingly challenges organizations —and legacy application security tooling— to track software vulnerabilities throughout development. However, as we learned in the webinar with Frank Kim, author of the “Cloud Security and DevSecOps Automation” SANS course, “engineering teams that implement DevSecOps practices and automate security tooling will discover security risks earlier, saving developers time, accelerating release cycles, and shipping more secure and compliant code.”

Furthermore, the business impact of security incidents—such as data breaches, zero day vulnerabilities, and privacy violations—only continue to grow, making it absolutely necessary for organizations to ensure security is a critical part of digital transformations and cloud native application development. Whether you are Solar Winds, Zoom, or any one of a number of other companies affected by data breaches, the stakes are high with consequences ranging from lost customers to bankruptcy. The average data breach costs businesses in the United States $9.05 Million, the Log4j zero day vulnerability is affecting hundreds of millions of apps and devices, and data privacy regulations have resulted in fines of $888 million (USD). Organizations can (literally) no longer afford to ignore the evolving dynamics introduced by cloud native development.

Empowering Developers to be Security-Minded

Developers know how to build applications …. but they need the right tools, insights, processes and culture to build them securely. Unfortunately, ensuring engineering teams shoulder the added responsibility of secure development is one of the most challenging and critical parts of implementing DevSecOps. According to the SANS 2022 DevSecOps Survey: Creating a Culture to Significantly Improve Your Organization’s Security Posture, “management buy-in” was the number one factor contributing to DevSecOps security programs’ success. Organizations require a structured approach to cloud adoption that includes engaging leaders, mobilizing security champions, and ensuring “secure” becomes integral to the “definition of done.”

Bar chart showing poll results of "What do you consider the top five factors that have contributed to your security program's success?" in 2021 and 2022

In addition—by ensuring there’s alignment across engineering, security, and operations—developers are encouraged to “upskill,” and to focus on learning and implementing techniques that helps improve the security of web applications and, more importantly, enables teams to shift security earlier into the design and coding phases. For example, the OWASP Cloud-Native Application Security Top 10 provides information about the most prominent security risks for cloudnative applications, the challenges involved, and how to overcome them. The OWASP Top 10 encourages guidelines like integrating security into the CI/CD pipeline, parameterizing queries, validating all inputs, implementing error handling, improving logging strategy, leveraging the benefit of security frameworks, protecting data at rest and encryption, reducing sensitive data exposure, implementing secure access controls, etc.

Comprehensive, Prioritized, and Actionable Insights

For many reasons—speed and flexibility, most notably—software development has evolved well beyond the contributions of a single developer writing code from scratch. Though the practice of assembling applications from existing libraries and joining them together with custom code is commonplace, it’s not entirely risk free. For example, did you know:

As discussed in Top 5 Evaluation Criteria for Developer Security Platforms, the increasing use of open source software—combined with the agility and flexibility offered with maturing DevOps pipelines—continues to highlight areas where development is outpacing security. For this reason, engineering teams should evaluate tools that can observe the running application to provide developers with contextual, application-aware information. This can include usage information, stack traces, and comprehensive insights spanning application code, dependencies, container images, and web interfaces. The identification and correlation of vulnerabilities and insecure code across application components can support engineering teams in preventing alert fatigue by helping developers discover, prioritize, and remediate the most critical security risks.

Automated Security Testing

When most engineering teams think of adopting DevSecOps, the ability to seamlessly integrate and automate security across development and operations is a must-have feature. However, many traditional application security tools focus on delivering feedback via time-consuming “gates” or checkpoints, introducing overhead and friction for developers. (By the way, this is a really good example of an anti-pattern!) Moving away from this model actually represents a significant shift for security teams accustomed to forcing developers to conform to their processes and tools.

However, by emphasizing technology and support systems that integrate directly into existing CI/CD workflows and toolchains, the goal should be to “automagically” observe the behavior of the running applications during development and testing to provide security insights without requiring engineering teams to waste valuable development time context switching. In fact, going back to the previous challenge, ensuring every feature test becomes a security test helps extend the “You build it, you run it” philosophy of DevOps to discovering and triaging security vulnerabilities.

Knowledge is a Weapon

Our mission at Deepfactor is to help customers—such as InspideCadent, and others— automate and accelerate the process of finding and fixing security vulnerabilities, supply chain security risks, and compliance issues early in development and testing. However, to realize the full-potential of secure cloud native development, it’s important to recognize the aforementioned challenges, trends, and “calls-to-action.” By doing so, organizations can be prepared to avoid the common anti-patterns outlined in this DZone whitepaper. For more information, keep on reading here: Cloud-Native Application Security: Patterns and Anti-Patterns.