Application Security in the Microservices Era
As organizations break their applications down into microservices, leveraging containers as the perfect architecture for it, the responsibility for securing these environments is shifting as well, exposing companies to a broader range of security risks and gaps in protection.
Indeed, we are at an inflection point culturally between the role of DevOps and the CISO. While CISOs are faced with the responsibility of keeping their organization secure at all costs, for DevOps teams agility is all that is critical to business operations, and so they often incline towards a ‘good enough’ approach (and sometimes, a ‘hell no!’ approach) with regards to security.
So, what does this mean for businesses and the cybersecurity landscape?
We focused our 2019 market research around the DevOps and DevSecOps community; we wanted to see how common DevOps have become and how strong their influence is with regards to information security decision making. To this end, we surveyed nearly 300 professionals from businesses of all sizes worldwide. What follows below is a summary of our findings.
Businesses Embrace Emerging Technologies and Concepts
Enterprises seem to be very aware that, as part of their digital transformation, the introduction of new frameworks requires an open mind (and wallet) when it comes to new solutions. And they’re trying and/or acquiring additional security measures.
For example, 67% of surveyed businesses run microservices/containers, of which 53% already use some sort of container security technology. 43% use a dedicated solution to secure serverless functions during runtime so there are no disruptions and no data leaks.
While this may sound promising, it feels like organizations are taking the “spaghetti on the wall” approach, stacking up multiple technologies but not necessarily optimizing their interoperability. Rather, they hope that having multiple solutions in place will do the job.
Since microservices and container management are still considered emerging technologies, it is imperative that businesses are still in the learning phase of matching the right solutions and practices to the new infrastructure and data flows. However, false confidence in existing security models prevails – leaving unforeseen security gaps that lead to data breaches.
Businesses Follow Required Security Practices
Not only are businesses willing to embrace emerging security technologies, they also largely follow the holy book of information security practices. Cases in point:
- 70% have security controls on east-west traffic.
- More than half do code reviews in addition to security testing and WAF solutions they use.
- 52% reckon their leading criteria for selecting application security technology is the quality of security.
This notion is well demonstrated by API security practices. Per the below chart, businesses are aware of security risks coming through APIs and actively address them; a smart move as APIs are now the glue between tools, apps, systems and environments.
Following the basic security practices and adopting roles like DevSecOps (more than 90% of organizations already have DevOps or DevSecOps teams, and 58% reported a ratio of between 1:6 and 1:10 DevSecOps to development personnel), in combination with stacking up application security technologies all help businesses develop a high sense of confidence:
Applications Are Still Hacked
Nonetheless, hackers still prevail, as application attacks remain a constant threat. 88% of respondents reported attacks throughout the year, and 90% suffered a data breach. The breadth of attacks respondents experienced daily included access violations, session/cookie poisoning, SQL injections, denial of service, protocol attacks, cross-site scripting, cross site request forgery, API manipulations.
56% pointed at misunderstanding of security responsibility boundaries between them and their public cloud service provider. Many still fight different types of attacks against their applications on a weekly basis.
APIs gateways, by the way, don’t seem to do the job. These are mostly used for authentication (37%) and IP filtering (30%), and some basic load-balancing (28%), but obviously can’t block all sorts of API manipulations and abuse.
Generally, solutions based on static rules and rigid heuristics can’t deliver the appropriate level of application security, as these change all the times. And half report their apps are changing constantly, sometimes multiple times a day — an impossible task for humans to keep control. Doing so requires detecting the change, tuning the policy, validating it and enforcing it. No can do. Automation is required.
The rapid pace of change hands off some power to the new buyer, who is in charge of the agile development and delivery of applications and microservices, and who designs the SLDC environment and selects the tools. The emerging role of the DevOps and DevSecOps are having a greater influence on security decisions and practices. If you remember, this was our hypothesis that we wanted to check.
Who’s Calling the Shots?
Well, not the security staff. IT is still the #1 influencer on tool selection, policy definition and implementation of application security solutions (IT controls the budget, but nevertheless it is alarming that 70% of the CISOs don’t have the final say).
Digital Transformation Is More Than Digital
Our conclusion from the research is that attacks are still successful because enterprises did not fully consider the impact of digital transformation on their business.
In digital transformation, technology spearheads the change. And while new technologies and frameworks are being bought and adopted (that’s the easy part!), technology itself cannot deliver on the promise. Despite businesses’ willingness to follow proper security practices, attacks remain successful. Why? Because enterprises didn’t take the second step of the digital transformation – the non-digital step, of acquiring new skill sets, adjusting business processes and redefining roles and responsibilities.
That is the where application security fails. If security professionals are allowed to do their jobs and make security a business enabler, then we may finally see security running at the speed of business.