Over the last 18 months, the global workforce has experienced a seismic digital shift, forcing many organizations to use the cloud to maintain business continuity. According to a report, the growth in cloud services has been accelerating, with forecasts that the cloud market could eventually be worth $1tn.
Part of this shift has been the evolution of what’s called “cloud-native.” A modern approach to building and running applications, cloud-native has gone from a marketing term to a highly desirable and useful architecture choice. Whether it’s yielding the benefits around the design or the building and deployment of applications, it’s easy to see why it’s become the default approach for many organizations.
Although convenient, cloud-native applications are an intricate and layered attack surface that are both under-secured and widely misunderstood. As a result, they have introduced a new series of challenges for application security, making it imperative for organizations to secure their interconnected, cloud-based solutions effectively.
With investment in digital technologies underpinned by cloud solutions set to increase, how can organizations and their developers creating cloud-native solutions ensure the highest levels of security?
Securing the New Hybrid Ecosystem
We know that in today’s modern software era, with the continued explosion of emerging technologies, digital transformation journeys and the move to cloud-native, there have been increasing demands on developer teams to create secure code.
Here are three best practice steps for developers to follow in order to effectively secure their interconnected, cloud-based solutions:
- Testing code from the first line: No portion of a codebase is inherently secure, and every line needs to be inspected from the beginning of development to ensure vulnerabilities are found and addressed. It is also important to remember that when new features and functionalities are added to the application, the introduced code blocks must be given the same time and attention as all other pieces in the bigger software puzzle.
- Ensuring each component is secure: It’s vital to test everything, including and especially third-party components and APIs, as it’s common for vulnerabilities to exist in these environments. A “trust and verify” approach is paramount, meaning organizations trust but make a concentrated effort to verify and validate third-party solutions and components before using them. As we continue to build applications from a diverse set of components, blindly trusting that third-party technologies are secure is a recipe for disaster.
- Test the infrastructure as code (IaC): With the transition to the cloud came new challenges for software developers, namely the abundance of IaC. This is evidenced by our survey, which found that one in six developers aren’t performing any security testing when building cloud-native applications, which significantly impacts the security of their applications. Therefore, just as you take careful steps to testing and securing applications, the same must be done when it comes to IaC.
Common Pitfalls Which Hinder Progress
Time and time again, we have seen examples of software full of exploitable vulnerabilities being released and subsequently abused by malicious actors. Moreover, new software use cases are being rushed to market every day, further expanding the attack surface at an unprecedented pace.
There are several pitfalls that developers fall for, which hinder their progress and allow attackers easy access to their solutions. These include:
- Not embedding AST early enough into the application development process: AST solutions enable security to become an inherent part of development. However, developers frequently implement security solutions after development is completed. This perspective needs to change as it is cheaper and easier to fix security vulnerabilities earlier in the lifecycle.
- Not understanding the nuances between traditional app sec vs. cloud-native security: To properly secure cloud-native apps, these nuances must be understood. Generally, traditional app sec is more contained, whereas, with cloud-native, many more components and connections are interacting and “speaking” to make it all work. While this makes for more dynamic applications, it also creates an exponentially larger attack surface. Security teams and software developers are now tasked with learning to build applications in a completely new environment while evolving how they test for security vulnerabilities, which may occur in any incorporated cloud component.
- Dispersed security responsibilities: The ownership of security has changed hands, too. With dispersed code and responsibility for digital transformation projects sitting across multiple teams also come dispersed security responsibilities. Now, developers, DevOps and IT teams need to take on this responsibility together. This shared ownership may be complex, but it’s necessary given how easy it is for security to be an afterthought.
Cloud-native is the future. Undoubtedly, it is a central part of software development in the brave new world we find ourselves living in. However, with the additional challenges it brings and the pace at which it’s being implemented, organizations must consider the security practices needed to ensure developers see security as a vital step in software development rather than an added layer of complexity.
With greater awareness of the challenges the new hybrid ecosystem brings, and by adopting the aforementioned best practices to overcome these obstacles, organizations can ensure their teams are utilizing the full benefits of cloud-native, while significantly lowering the risk.