Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

06:10 PM

DevSecOps Requires a Different Approach to Security

Breaking applications into microservices means more difficulty in gaining good visibility into runtime security and performance issues, says startup Traceable.

As developers increasingly adopt DevOps and other agile programming models, software security testing is becoming more complex with applications broken down into microservices hosted in a plethora of containers.

Startup Traceable, which emerged from stealth mode on July 14, hopes to address the complexities of distributed software architectures by adapting a runtime-tracing approach used in performance testing to find problems in program code and application programming interfaces (APIs). As more DevOps teams aim to incorporate security, they need tools to help them better understand their applications and find software bugs at runtime, says Jyoti Bansal, CEO and co-founder of the company.  

"You have millions and millions of lines of code that software developers are writing, and you can protect the network as much as you want, but a lot of the code is on a public cloud and exposed through APIs," he says. "If you look at the next generation of attacks — a lot of focus is on business logic that is being exposed to the outside world — the key is to figure out the normal behavior of the application. You need to understand the flow of what is happening."

The launch underscores that evolving methods of development may call for security tools that work in native cloud environments and with microservice architectures. 

At the heart of the issue for developers is the difference between so-called waterfall development, where specifications flow down to developers, and DevOps-style development, in which fast iteration and deployment of changes is based on user stories and a flexible cloud infrastructure. In 2020, 81% of companies have adopted an agile development framework and 75% have specifically focused on the DevOps model, according to the DevOps Institute's "Enterprise DevOps Skills Report." Half of companies find the adoption of DevOps to be difficult. 

Because DevOps calls for each team to take responsibility for the development and deployment of one or more applications, often as microservices, security tools have to deal with those divisions as well, says Sandra Carielli, principal analyst for security and risk at Forrester Research, a business intelligence firm.

"If you are used to dealing with a monolithic application, you know where the entry points are and where it fits in your portfolio, but [with microservices] the number of APIs, the number of endpoints, and the number of communications, and the number of external parties that are making API calls, that all explodes," she says. "There are lots of way for that to go wrong."

Traceable's approach comes from the experiences both founders — Bansal and chief technology officer Sanjay Nagaraj — had at AppDynamics, an application monitoring company sold to Cisco in 2017 for $3.7 billion. More large companies were moving to cloud-native architectures, and attackers' focus on finding new business-logic attacks against applications and API servers opened those applications up to compromise.

To stay ahead of attackers, the developers and security teams had to have good visibility into what was happening with the application, Nagaraj says.

"If you look at the next generation of attacks, all of this is business logic that is being exposed to the outside world, you know have to figure out the normal behavior — you need to understand the flow that is happening — to block the attack," he says. 

Software architectures that rely on breaking applications into microservices require more pervasive tools to gather data on runtime execution and better analysis engines to gain good visibility into the state of the application while it's running, says CEO Bansal.

"You have a very dynamic environment where people who you may not trust could access the application," he adds. "We strongly believe that just testing the software is not enough. You may only catch the 70% to 80% of the low-hanging security vulnerabilities. Once you go live, you still have to make sure the issues you miss are not used."

Forrester's Carielli agrees. API security can be tricky because developers may be leaving a direct route to the application open to attackers, if the service is not correctly secured, making visibility into the application important, she says.

"Not being aware or having full visibility into who is calling the APIs, what functionality is being called, and what potential risks in the specifications — any of those issues can become issues of control, of monitoring, and of security," she says.

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for detail on conference information and to register.


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...
PUBLISHED: 2021-01-20
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is suppli...
PUBLISHED: 2021-01-20
A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read sensitive database files on an affected system. The vulnerability is due to insufficient user authorization. An attacker could exploit this vulnerability by accessing the vshell of an af...
PUBLISHED: 2021-01-20
Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
PUBLISHED: 2021-01-20
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.