I recently had the pleasure of participating in a great panel discussion at the San Diego Cyber Security Summit, entitled “Cloud Security — Leveraging Its Strengths and Overcoming Its Vulnerabilities,” alongside representatives from Palo Alto Networks, Gigamon, Sysdig, Lacework, Imperva, and Tufin. After some interesting conversation about identifying, prioritizing, correcting, and avoiding misconfigurations in cloud systems, I turned the panel’s attention toward the upper layers of the cloud stack: the application.
It’s a truism that the road to Hell is paved with good intentions, and that’s certainly the case when it comes to cloud security. You can install all sorts of configuration monitoring tools, cloud log monitoring tools, and traffic monitoring tools, but if you have not properly secured the application running at the top of the stack, you have achieved very little.
Here are my observations.
The cloud is a big place. There are many different processes and practices needed to protect it, and many different types of security controls operating over the different layers of the tech stack. It’s challenging to identify where to focus your efforts, but it’s vital to do so.
The best place to focus is on the area that carries the most risk. Well, where is that? It turns out we have research data that can answer that question. For the second year in a row, research from Forrester shows that most attacks are focused at the top of the stack — the application layer. Forrester surveyed about 500 security professionals, and those who said that their companies had suffered a security breach in the last year identified attacks on software vulnerabilities and supply chain attacks as the leading types of attacks. As Forrester stated plainly in their report: “Applications are once again the top cause of external breaches.”.
CISOs are already aware of this. In two separate studies by Ponemon, enterprise managers were asked what their top security objectives were. The percentage of respondents who listed application security as a top priority increased by 14 percentage points over five years between 2015 and 2020. Now, 59% say that application security is a top priority.
And Gartner knows this too. In June 2022, at the Gartner Security and Risk Management Summit, Gartner said that managing open-source software is the easiest and most impactful thing you can do to improve your application security program. They singled out software composition analysis (SCA) as the type of application security that’s particularly beneficial.
Most organizations are now using DevOps to create cloud applications, so for security purposes, the process that you need to implement is called DevSecOps. DevSecOps is simply the process of injecting security into your existing DevOps processes, into the developer’s existing workflow, using automated techniques that don’t slow down the development process.
Let’s face it: developers outnumber security professionals by 100 to 1. You don’t have the budget to hire more security people, and even if you did, you wouldn’t be able to find them. There is a huge skills shortage. But developers don’t want to become security experts. They want to know the bare minimum that allows them to ship code that passes the security bar. Their passion is coding, and they are incentivized to ship code on time. A “security champion program” is designed to work with developers who don’t have formal cybersecurity experience. Security champions are members of the development team who act as eyes and ears for the security team. They are embedded within the development teams to spot potential issues that require the expertise of security. They know the specific processes used by their team, so they are in the best position to suggest how security can be implemented for that team.
You can optimize the adoption of security practices by making it as simple as possible for developers to use them. And two key ways to achieve this are to integrate security into developers’ native environments and automate security processes. The first of these means that developers don’t have to interrupt their workflow, step out of their development environment into a separate security tool, and learn an additional UI, to consistently apply security. The second — automation — accelerates security detection and remediation by making them instantaneous, minimizing the effort, and eradicating any inconvenience of implementing these processes. The newest generation of application security tools tells developers almost immediately if there’s any issue, for example, if they have added a vulnerable open source package to their project. The tool presents an alert, tells developers what the issue is, and suggests how they can fix it. The best application security tools will automatically fix the security problem, for example, by creating a pull request. So, look for completely automated application security tools, which are the latest wave of tools that are coming onto the market. I call these tools “self-driving AppSec”.
Some members of the audience, as well as the moderator of the panel discussion, were visibly surprised to hear that application security could be completely automated. But it stands to reason that application security in the cloud is following the same developmental trajectory as many other technologies. Take self-driving cars, for example. We know this technology is on its way, so is it such a stretch to think that self-driving application security is possible? Much of the software we use already has integrated automation, such as automated spell checks and grammar checks, and now with ChatGPT, there are tools to perform much more complex functions automatically. Application security has already embarked on its transformation to automation. The first generation of self-driving application security tools is now coming onto the market, and I predict that it’s just a matter of time before automated AppSec becomes ubiquitous.