DEVOPSdigest

TechTarget's Enterprise Strategy Group (ESG) recently surveyed 350 IT and cybersecurity professionals and application developers to create a report called Modernizing Application Security to Scale for Cloud-Native Development. The survey results and analysis offer insights into the strategies, tools, and investments security and development teams are leveraging to address modern AppSec. It also generated some compelling data related to AppSec teams' challenges in the face of a rapidly changing development environment.

When asked to identify their top challenges for AppSec teams supporting cloud-native dev processes, "understanding developer environments and assets to effectively manage security" was one of the top three responses provided. With the explosion of innovations like APIs, multi-cloud deployments, containers, and AI-generated code, the attack surface has grown exponentially in recent years, and security teams are struggling to achieve the visibility and context required to effectively mitigate risk.

More evidence of the struggle to keep up with changing development practices emerged in the survey responses about the speed of development and infrastructure as code.

Speed of Development

Software development cycles today run at a lightning-fast pace and often leave security teams struggling to keep up. When asked about the security challenges with faster development cycles, survey respondents cited the following three areas as their top challenges:

■ Prioritizing needed remediation based on business criticality, reachability, or exploitability (35%)

■ Security lacks visibility and control in development processes (34%)

■ Software is released without going through security checks and/or testing (34%)

With the intense pace of development, chasing down each and every vulnerability becomes unfeasible – it is therefore not surprising to see prioritizing remediation top the list of challenges. Security teams can't afford to spend time, money, and effort fixing something that doesn't actually represent real risk to the organization.

What's missing is contextual prioritization of the overall development environment in order to select which vulnerabilities to fix first based on the impact to the business. Security teams should aim to shift the focus to overall product security rather than creating silos for cloud security, application security, and other components of the software supply chain. They should also seek out a clear view of the full software factory, its assets, its owners, its security controls, its vulnerabilities, and how all are related.

Increasing IaC Misconfigurations

With the software development factory becoming increasingly complex and automated, there are increasing opportunities for misconfigurations to create risk, and AppSec teams are struggling to manage that increase.

For example, the misconfiguration of build servers is a common problem that creates significant vulnerabilities. Build systems are essentially automated, implicitly trusted pathways straight to the cloud, yet most aren't treated as critical from a security perspective. In many cases, these systems, like Jenkins, for example, are misconfigured or otherwise vulnerable and unpatched.

Another increasingly common risk is infrastructure as code (IaC) misconfigurations.

Infrastructure as code use is exploding as developers look for ways to move faster. With IaC, developers can provision their own infrastructure without waiting for IT or operations. However, with increased use comes increased chance of misconfigurations. In fact, 67% of survey respondents noted that they are experiencing an increase in IaC template misconfigurations. These misconfigurations are especially dangerous because one flaw can proliferate easily and widely.

Examples of these misconfigurations include:​ 

■ Not using the latest version of TLS ​

■ Relying on username/passwords instead of SSH keys​

■ Creating cloud assets with excessive permissions, i.e., S3 buckets with read/write permissions

Development tool misconfigurations often stem from privileges issues. Many tools are over-privileged because they're easier to integrate if users have full access. To avoid this in IaC, security teams should pay special attention to access controls in IaC definitions:​ 

■ Determine what users need to do, then craft policies allowing them to perform only those tasks.​ 

■ Do not allow all users full administrative privileges.​

■ Start with a minimum set of permissions and grant additional permissions as necessary.​ 

Context and Clarity

It's clear that modern software security requires better context and more clarity. With the speed and complexity of development environments, security teams need visibility that allows them to make sense of the complexity and move at the speed of development, but current application security tools are falling short.

With different application security tools scanning code in different ways across the development lifecycle, most AppSec tools generate a lot of results without a lot of context. Without contextual risk ranking among applications and vulnerabilities, either "everything" is a priority, or "nothing" is a priority.

Additionally, AppSec teams need the kind of visibility that is standard for endpoint and network protection — where security teams collect a complete list of assets and a map of the environment to know what needs to be protected and where proper controls should be put in place.

For example, creating an automated SDLC asset inventory for development pipelines allows security teams to apply security policies to that inventory and check for risky violations — quickly and accurately. Threat modeling will then allow the team to identify risky implementations before starting development.