Cloud Native AppSec Requires a Continuous Application Security Approach

by in CyberRes

Application security is in a race to keep pace with rapidly evolving application development practices. Last month the Fortify team released a white paper on the Application Security Top Trends for 2021. I want to focus on one of the trends that they identified. Specifically, the trend of cloud native AppSec.

Cloud-first application deployment strategies are becoming more common

Cloud Native AppSec Requires a Continuous Application Security Approach.pngDevelopers are under pressure to build and ship applications faster than ever, and to update applications frequently through automated processes in their dev tool chains. Many dev teams are building on their success with Agile development by integrating Hybrid IT with DevOps to improve speed and flexibility. This is reshaping the way enterprises build and deploy business applications.

A “Cloud first” strategy is common for agile, high performing enterprises. ESG research reported 39% of organizations they surveyed in 2019 were taking a cloud first approach to app development, and 47% consider cloud and on-premises selections equally when weighing application deployment options. The pandemic has likely increased those numbers.

The Cloud Native Computing Foundation (CNCF) defines cloud native as the technologies that

“…empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach.”

A legacy approach to AppSec governance is ill suited for these modern, cloud-native development environments. CISOs need to implement a strategy to proactively work with dev/ops teams to evolve and adequately mitigate application risks in this new reality. Given the cloud’s dynamic environment, we believe a continuous application security approach is needed.

Cloud-Native AppSec

Adapting the application security testing (ASTing) process into these cloud development practices with the goal of identifying weaknesses before changes ever reach production is difficult given the velocity of development.

Cloud-based AppSec is a set of defined policies, processes, controls, and technology governing information exchanges in cloud instances. For example, processes should exist to have security bless blueprints and methods that’ll be regularly reused by dev teams. While cloud computing offloads many tasks to the cloud service provider, the end user organization retains responsibility for securing the data and apps (in IaaS and PaaS) that go into the cloud – security is ultimately a shared responsibility. Integrating security checks to identify vulnerabilities introduced during development is also important.

Assessing application risks involves various testing methods of identifying security weaknesses in applications, APIs, and containers, using SAST, DAST, MAST, SCA OSS, and IAST. Those testing methods can apply to on-prem, hybrid IT, or cloud-native development environments. To be successful with ASTing in modern dev, the key is to meet developer needs and to make it as seamless as possible for them. We need to integrate the AST tools into dev tool chains they are using (on-prem or in cloud), automate testing to the fullest and in such a way as to provide continuous feedback on an application’s security posture.

Fortify supports CSP Dev Tool chain Ecosystems

Fortify solutions can integrate with dev tool ecosystems, including developer IDEs, CI/CD pipelines, source code repositories, and ticketing systems. We have deployment architectures that can be implemented on-premise or on-cloud which offers continuous ASTing using SAST and DAST coupled with SCA OSS. SAST Rulepacks should detect vulnerability categories specific to the cloud-provider’s frameworks and cloud-native apps out of the box. For the dominate cloud service providers,

  • Fortify support of AWS includes SAST and DAST that can be easily deployed on EC2 instances and be integrated with AWS code pipelines. Fortify on Demand (FoD) SaaS is available on the AWS marketplace too.
  • Likewise, Fortify SAST & DAST can be deployed in Microsoft Azure VM instances and be integrated with ADO release pipelines. You can also use Fortify Azure build tasks in your continuous integration builds to identify to app vulnerabilities. Check out this Fortify unplugged video on FoD & Azure DevOps.
  • Fortify also supports the Google Cloud Platform (GCP) and Google’s App engine requests for SAST and DAST scans during the development lifecycle.

ASTing supporting Cloud-native apps is just one trends that the Fortify team will highlight in the 20 April Webinar, Top Application Security Trends of 2021. It’s not too late to register, or you can view on-demand after the April 20 date. Also, check out this Micro Focus Universe on-demand video, AppSec in a Cloud First Culture.

 

More information:

Join our Fortify Community. Have technical questions about Application Security products? Visit the Fortify discussion forum.  Keep up with the latest Tips & Info about Application Security. We’d love to hear your thoughts on this blog. Log in or register to comment below.

Labels:

Application security
Anonymous