Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

7/14/2020
06:10 PM
100%
0%

DevSecOps Requires a Different Approach to Security

Breaking applications into microservices means more difficulty in gaining good visibility into runtime security and performance issues, says startup Traceable.

As developers increasingly adopt DevOps and other agile programming models, software security testing is becoming more complex with applications broken down into microservices hosted in a plethora of containers.

Startup Traceable, which emerged from stealth mode on July 14, hopes to address the complexities of distributed software architectures by adapting a runtime-tracing approach used in performance testing to find problems in program code and application programming interfaces (APIs). As more DevOps teams aim to incorporate security, they need tools to help them better understand their applications and find software bugs at runtime, says Jyoti Bansal, CEO and co-founder of the company.  

"You have millions and millions of lines of code that software developers are writing, and you can protect the network as much as you want, but a lot of the code is on a public cloud and exposed through APIs," he says. "If you look at the next generation of attacks — a lot of focus is on business logic that is being exposed to the outside world — the key is to figure out the normal behavior of the application. You need to understand the flow of what is happening."

The launch underscores that evolving methods of development may call for security tools that work in native cloud environments and with microservice architectures. 

At the heart of the issue for developers is the difference between so-called waterfall development, where specifications flow down to developers, and DevOps-style development, in which fast iteration and deployment of changes is based on user stories and a flexible cloud infrastructure. In 2020, 81% of companies have adopted an agile development framework and 75% have specifically focused on the DevOps model, according to the DevOps Institute's "Enterprise DevOps Skills Report." Half of companies find the adoption of DevOps to be difficult. 

Because DevOps calls for each team to take responsibility for the development and deployment of one or more applications, often as microservices, security tools have to deal with those divisions as well, says Sandra Carielli, principal analyst for security and risk at Forrester Research, a business intelligence firm.

"If you are used to dealing with a monolithic application, you know where the entry points are and where it fits in your portfolio, but [with microservices] the number of APIs, the number of endpoints, and the number of communications, and the number of external parties that are making API calls, that all explodes," she says. "There are lots of way for that to go wrong."

Traceable's approach comes from the experiences both founders — Bansal and chief technology officer Sanjay Nagaraj — had at AppDynamics, an application monitoring company sold to Cisco in 2017 for $3.7 billion. More large companies were moving to cloud-native architectures, and attackers' focus on finding new business-logic attacks against applications and API servers opened those applications up to compromise.

To stay ahead of attackers, the developers and security teams had to have good visibility into what was happening with the application, Nagaraj says.

"If you look at the next generation of attacks, all of this is business logic that is being exposed to the outside world, you know have to figure out the normal behavior — you need to understand the flow that is happening — to block the attack," he says. 

Software architectures that rely on breaking applications into microservices require more pervasive tools to gather data on runtime execution and better analysis engines to gain good visibility into the state of the application while it's running, says CEO Bansal.

"You have a very dynamic environment where people who you may not trust could access the application," he adds. "We strongly believe that just testing the software is not enough. You may only catch the 70% to 80% of the low-hanging security vulnerabilities. Once you go live, you still have to make sure the issues you miss are not used."

Forrester's Carielli agrees. API security can be tricky because developers may be leaving a direct route to the application open to attackers, if the service is not correctly secured, making visibility into the application important, she says.

"Not being aware or having full visibility into who is calling the APIs, what functionality is being called, and what potential risks in the specifications — any of those issues can become issues of control, of monitoring, and of security," she says.

Related Content:

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for detail on conference information and to register.

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...