As developers increasingly adopt DevOps and other agile programming models, software security testing is becoming more complex with applications broken down into microservices hosted in a plethora of containers.
Startup Traceable, which emerged from stealth mode on July 14, hopes to address the complexities of distributed software architectures by adapting a runtime-tracing approach used in performance testing to find problems in program code and application programming interfaces (APIs). As more DevOps teams aim to incorporate security, they need tools to help them better understand their applications and find software bugs at runtime, says Jyoti Bansal, CEO and co-founder of the company.
"You have millions and millions of lines of code that software developers are writing, and you can protect the network as much as you want, but a lot of the code is on a public cloud and exposed through APIs," he says. "If you look at the next generation of attacks — a lot of focus is on business logic that is being exposed to the outside world — the key is to figure out the normal behavior of the application. You need to understand the flow of what is happening."
The launch underscores that evolving methods of development may call for security tools that work in native cloud environments and with microservice architectures.
At the heart of the issue for developers is the difference between so-called waterfall development, where specifications flow down to developers, and DevOps-style development, in which fast iteration and deployment of changes is based on user stories and a flexible cloud infrastructure. In 2020, 81% of companies have adopted an agile development framework and 75% have specifically focused on the DevOps model, according to the DevOps Institute's "Enterprise DevOps Skills Report." Half of companies find the adoption of DevOps to be difficult.
Because DevOps calls for each team to take responsibility for the development and deployment of one or more applications, often as microservices, security tools have to deal with those divisions as well, says Sandra Carielli, principal analyst for security and risk at Forrester Research, a business intelligence firm.
"If you are used to dealing with a monolithic application, you know where the entry points are and where it fits in your portfolio, but [with microservices] the number of APIs, the number of endpoints, and the number of communications, and the number of external parties that are making API calls, that all explodes," she says. "There are lots of way for that to go wrong."
Traceable's approach comes from the experiences both founders — Bansal and chief technology officer Sanjay Nagaraj — had at AppDynamics, an application monitoring company sold to Cisco in 2017 for $3.7 billion. More large companies were moving to cloud-native architectures, and attackers' focus on finding new business-logic attacks against applications and API servers opened those applications up to compromise.
To stay ahead of attackers, the developers and security teams had to have good visibility into what was happening with the application, Nagaraj says.
"If you look at the next generation of attacks, all of this is business logic that is being exposed to the outside world, you know have to figure out the normal behavior — you need to understand the flow that is happening — to block the attack," he says.
Software architectures that rely on breaking applications into microservices require more pervasive tools to gather data on runtime execution and better analysis engines to gain good visibility into the state of the application while it's running, says CEO Bansal.
"You have a very dynamic environment where people who you may not trust could access the application," he adds. "We strongly believe that just testing the software is not enough. You may only catch the 70% to 80% of the low-hanging security vulnerabilities. Once you go live, you still have to make sure the issues you miss are not used."
Forrester's Carielli agrees. API security can be tricky because developers may be leaving a direct route to the application open to attackers, if the service is not correctly secured, making visibility into the application important, she says.
"Not being aware or having full visibility into who is calling the APIs, what functionality is being called, and what potential risks in the specifications — any of those issues can become issues of control, of monitoring, and of security," she says.