The modern approach to application security includes strategies and technologies that help development teams prioritize the vulnerabilities they should address and fix. By giving these teams tools that efficiently identify security vulnerabilities that present the biggest risk, they can address them as quickly as possible.
Ori Bach, EVP of Product at Mend, and Harry Mower, Director, AWS CodeSuite, got together for a fireside chat to discuss how to implement these strategies. Some of their key takeaways include the following:
Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud platform, and AWS customers take advantage of all the cloud has to offer by building applications that meet rapidly changing business requirements. As part of the AWS Shared Responsibility Model, customers are responsible for securing their apps in the cloud, while AWS secures the cloud infrastructure.
Mend is an APN Advanced Tier Technology Partner that partners with AWS to provide end-to-end cloud security solutions for customers. We ensure that both open source and custom code applications running on AWS are secured using a remediation-first approach for faster and more confident deployments.
Software development is a dynamic discipline that undergoes constant change. This has implications for application security. “When we talk about modern software development, we’re really talking about cloud-native application architectures. These applications are more often assembled than they are written and built from open-source components,” Bach said. “We estimate that open-source components make up 80 percent of all components used in applications today. This creates a unique challenge of understanding what risks are being introduced by those third-party dependencies. For example, most people that were affected by Log4J didn’t use it directly, but instead used another component that leveraged the vulnerability library.”
Given the high stakes involved, Mower noted that application security should be a primary concern of any IT security department. Implementing a modern application security program should start with the following best practices:
Effective detection. The basis of a good AppSec program is an effective scanning strategy,” Bach said. “By running tools such as our own in your CI/CD pipelines or code repository, you can easily find out how vulnerable your software is. We have found that running scans before deployment pipeline is especially effective.”
Integration. For Bach, one of the most important elements is an integrated approach that bridges the gap between security operations and development. Moreover, it should free developers to do what they do best — deliver quality code, faster.
Automation. Every stage of the process, from detection to prioritization and remediation, needs to be automated with the right tools. “Tools that automatically detect, prioritize, and remediate vulnerabilities lead to measurable benefits across the enterprise,” Bach said. “For example, organizations using the Mend security platform reduce the software attack surface by as much as 90 percent, decrease the number of security alerts by as much as 85 percent, and save their developers up to 80 percent of the time they would have otherwise spent remediating app security issues.”
Prioritization. While it’s important to detect as many security issues as possible in the application, not all vulnerabilities are created equal, and it’s unrealistic to attempt to fix them all. “A modern AppSec approach includes strategies and technologies that help teams prioritize — giving them tools to zero in on the security vulnerabilities that present the biggest risk,” Bach said.
Remediation. Here, Bach recommended technologies that do two important things. First, these tools must integrate seamlessly into the development cycle to help remediate issues when they are easier and cheaper to fix. And second, they should update vulnerable versions automatically..
By bringing these elements together, companies can increase the pace of development and delivery to meet critical business needs without compromising on security.”
The last part of the chat focused on the importance of partnering with a trusted cloud provider like AWS. “We’re really proud of the strategic collaboration between our two companies and how it helps our shared customers build a modern AppSec strategy,” Bach said.
The two agreed that the Mend-AWS collaboration provides unique value. “As you know, AWS takes security very seriously, and Mend’s offerings complement native AWS services across a number of solution areas,” Mower said. “For example, Mend integrates seamlessly with the existing AWS DevOps environments and CI/CD pipelines. Mend also works with GitHub as well as AWS dev tools — and as I understand it, more integrations with AWS developer tools are coming soon. These integrations reduce complexity and increase developer velocity. Mend also helps customers meet their obligations as part of the AWS Shared Responsibility Model.”
In short, Mend is there every step of the way to eliminate the burden of application security by providing solutions that meet the unique needs of both open source and custom code builds. Our integrations with key AWS services across the application development process simplify application security, making it easier for customers to manage their responsibilities and ship software and applications quickly and more securely. Even better, Mend is available through AWS Marketplace, making it easy for customers to access, deploy, and onboard our services.