Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

7/14/2020
06:10 PM
100%
0%

DevSecOps Requires a Different Approach to Security

Breaking applications into microservices means more difficulty in gaining good visibility into runtime security and performance issues, says startup Traceable.

As developers increasingly adopt DevOps and other agile programming models, software security testing is becoming more complex with applications broken down into microservices hosted in a plethora of containers.

Startup Traceable, which emerged from stealth mode on July 14, hopes to address the complexities of distributed software architectures by adapting a runtime-tracing approach used in performance testing to find problems in program code and application programming interfaces (APIs). As more DevOps teams aim to incorporate security, they need tools to help them better understand their applications and find software bugs at runtime, says Jyoti Bansal, CEO and co-founder of the company.  

"You have millions and millions of lines of code that software developers are writing, and you can protect the network as much as you want, but a lot of the code is on a public cloud and exposed through APIs," he says. "If you look at the next generation of attacks — a lot of focus is on business logic that is being exposed to the outside world — the key is to figure out the normal behavior of the application. You need to understand the flow of what is happening."

The launch underscores that evolving methods of development may call for security tools that work in native cloud environments and with microservice architectures. 

At the heart of the issue for developers is the difference between so-called waterfall development, where specifications flow down to developers, and DevOps-style development, in which fast iteration and deployment of changes is based on user stories and a flexible cloud infrastructure. In 2020, 81% of companies have adopted an agile development framework and 75% have specifically focused on the DevOps model, according to the DevOps Institute's "Enterprise DevOps Skills Report." Half of companies find the adoption of DevOps to be difficult. 

Because DevOps calls for each team to take responsibility for the development and deployment of one or more applications, often as microservices, security tools have to deal with those divisions as well, says Sandra Carielli, principal analyst for security and risk at Forrester Research, a business intelligence firm.

"If you are used to dealing with a monolithic application, you know where the entry points are and where it fits in your portfolio, but [with microservices] the number of APIs, the number of endpoints, and the number of communications, and the number of external parties that are making API calls, that all explodes," she says. "There are lots of way for that to go wrong."

Traceable's approach comes from the experiences both founders — Bansal and chief technology officer Sanjay Nagaraj — had at AppDynamics, an application monitoring company sold to Cisco in 2017 for $3.7 billion. More large companies were moving to cloud-native architectures, and attackers' focus on finding new business-logic attacks against applications and API servers opened those applications up to compromise.

To stay ahead of attackers, the developers and security teams had to have good visibility into what was happening with the application, Nagaraj says.

"If you look at the next generation of attacks, all of this is business logic that is being exposed to the outside world, you know have to figure out the normal behavior — you need to understand the flow that is happening — to block the attack," he says. 

Software architectures that rely on breaking applications into microservices require more pervasive tools to gather data on runtime execution and better analysis engines to gain good visibility into the state of the application while it's running, says CEO Bansal.

"You have a very dynamic environment where people who you may not trust could access the application," he adds. "We strongly believe that just testing the software is not enough. You may only catch the 70% to 80% of the low-hanging security vulnerabilities. Once you go live, you still have to make sure the issues you miss are not used."

Forrester's Carielli agrees. API security can be tricky because developers may be leaving a direct route to the application open to attackers, if the service is not correctly secured, making visibility into the application important, she says.

"Not being aware or having full visibility into who is calling the APIs, what functionality is being called, and what potential risks in the specifications — any of those issues can become issues of control, of monitoring, and of security," she says.

Related Content:

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for detail on conference information and to register.

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27621
PUBLISHED: 2020-10-22
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inab...
CVE-2020-27620
PUBLISHED: 2020-10-22
The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups.
CVE-2020-27619
PUBLISHED: 2020-10-22
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
CVE-2020-17454
PUBLISHED: 2020-10-21
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal b...
CVE-2020-24421
PUBLISHED: 2020-10-21
Adobe InDesign version 15.1.2 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .indd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.