While application security has never been more advanced, one could argue that it has also never been more difficult. Keeping pace with the growth and evolution of applications, evaluating the endless number of available solutions, and recruiting the expertise to manage the solutions and evaluate the data are just a few of the challenges modern security teams face. The team at Threat X is comprised of engineers, developers, and security practitioners that have faced one of more of these challenges in their careers. That's what fuels our passion every day.
On this note, I am writing a multi-article series that addresses some of the key trends and challenges facing application security today and how security teams can adapt. In the first article, I highlight the shift in application development and integration, and the impact on security teams. In this article, I will dive into how new DevOps models are affecting security strategies and ushering in a new age of security tools.
The Age of DevOps and Continuous Delivery
Modern applications are developed and updated faster than ever before. Highly agile DevOps and Continuous Integration / Continuous Delivery (CICD) models are quickly becoming the norm, with many teams releasing an update or more every day. While these processes are highly beneficial to the organization, the speed of change certainly introduces new security challenges.
The good news is that many DevOps teams are integrating security into the development process itself, helping to deliver more secure code. However, even the most secure software needs protection from threats, and this protection phase is where the constantly evolving nature of DevOps can make things tricky. If tuning signatures and rules was painful in the old model, it becomes nearly impossible when the application itself can be updated on a daily basis.
In this constantly changing environment, security tools need to keep up with changes in real-time without impacting the development team or slowing the process down. To support the frequent, real-time code deployments, an effective WAF is one that can automatically keep up with these changes and protect against any newly introduced security vulnerabilities without having to update signatures or have any manual intervention. In this manner, security and dev are working cohesively. Combine this approach with automated, dynamic testing of new code that includes forced rollback if issues are detected, and this enables a truly secure CI/CD process.
Securing the Microservice Architecture
The internal structure of applications has also changed from monolithic architectures to containerized microservices that make applications far more modular and easier to update. These microservices are often connected via a service mesh, and securing the east-west RESTful API calls between microservices can be a challenge for WAFs.
If a WAF is not containerized, then it will be virtually impossible to provide protection down to the microservice level. On the other hand, if the WAF is built-in to the service itself, such as via a plugin within NGINX or Apache, then simple rules and intelligence updates to the WAF can bring down the application in order to support the update. As a result, security teams need to ensure that security makes it to the level of the microservices without getting in the way of the application itself.
As containerization becomes more the standard, traditional approaches to the WAF and AppSec are becoming obsolete. Even legacy applications are shifting to be deployed as containers. And this is the reality that security teams must face. Security must be delivered to microservices, APIs, or any other way that application functionality can be accessed. If you are interested in this topic, check out our recent blog that dives into how to scale security in microservice architectures.
These are just some of the important ways that changes in the application landscape are affecting security. And as always, as applications and technology evolve, security will likewise need to adapt. In the next segment of this series, we will shift our focus to changes in the threat landscape and what it means for our defenses. We’ll take a look at the many types of threats facing modern applications from the OWASP Top 10 to malicious automation and how to use threat-facing techniques to find, verify, and stop these threats before they do damage.