Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

06:10 PM

DevSecOps Requires a Different Approach to Security

Breaking applications into microservices means more difficulty in gaining good visibility into runtime security and performance issues, says startup Traceable.

As developers increasingly adopt DevOps and other agile programming models, software security testing is becoming more complex with applications broken down into microservices hosted in a plethora of containers.

Startup Traceable, which emerged from stealth mode on July 14, hopes to address the complexities of distributed software architectures by adapting a runtime-tracing approach used in performance testing to find problems in program code and application programming interfaces (APIs). As more DevOps teams aim to incorporate security, they need tools to help them better understand their applications and find software bugs at runtime, says Jyoti Bansal, CEO and co-founder of the company.  

"You have millions and millions of lines of code that software developers are writing, and you can protect the network as much as you want, but a lot of the code is on a public cloud and exposed through APIs," he says. "If you look at the next generation of attacks — a lot of focus is on business logic that is being exposed to the outside world — the key is to figure out the normal behavior of the application. You need to understand the flow of what is happening."

The launch underscores that evolving methods of development may call for security tools that work in native cloud environments and with microservice architectures. 

At the heart of the issue for developers is the difference between so-called waterfall development, where specifications flow down to developers, and DevOps-style development, in which fast iteration and deployment of changes is based on user stories and a flexible cloud infrastructure. In 2020, 81% of companies have adopted an agile development framework and 75% have specifically focused on the DevOps model, according to the DevOps Institute's "Enterprise DevOps Skills Report." Half of companies find the adoption of DevOps to be difficult. 

Because DevOps calls for each team to take responsibility for the development and deployment of one or more applications, often as microservices, security tools have to deal with those divisions as well, says Sandra Carielli, principal analyst for security and risk at Forrester Research, a business intelligence firm.

"If you are used to dealing with a monolithic application, you know where the entry points are and where it fits in your portfolio, but [with microservices] the number of APIs, the number of endpoints, and the number of communications, and the number of external parties that are making API calls, that all explodes," she says. "There are lots of way for that to go wrong."

Traceable's approach comes from the experiences both founders — Bansal and chief technology officer Sanjay Nagaraj — had at AppDynamics, an application monitoring company sold to Cisco in 2017 for $3.7 billion. More large companies were moving to cloud-native architectures, and attackers' focus on finding new business-logic attacks against applications and API servers opened those applications up to compromise.

To stay ahead of attackers, the developers and security teams had to have good visibility into what was happening with the application, Nagaraj says.

"If you look at the next generation of attacks, all of this is business logic that is being exposed to the outside world, you know have to figure out the normal behavior — you need to understand the flow that is happening — to block the attack," he says. 

Software architectures that rely on breaking applications into microservices require more pervasive tools to gather data on runtime execution and better analysis engines to gain good visibility into the state of the application while it's running, says CEO Bansal.

"You have a very dynamic environment where people who you may not trust could access the application," he adds. "We strongly believe that just testing the software is not enough. You may only catch the 70% to 80% of the low-hanging security vulnerabilities. Once you go live, you still have to make sure the issues you miss are not used."

Forrester's Carielli agrees. API security can be tricky because developers may be leaving a direct route to the application open to attackers, if the service is not correctly secured, making visibility into the application important, she says.

"Not being aware or having full visibility into who is calling the APIs, what functionality is being called, and what potential risks in the specifications — any of those issues can become issues of control, of monitoring, and of security," she says.

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for detail on conference information and to register.


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...