Organizations are shifting from on-premises deployments to cloud-based or cloud-first strategies. According to a recent Foundry Cloud Computing Study from September 2023, about 65% of IT decision-makers say their organizations are opting for cloud-based services when upgrading or adopting new technical capabilities. This trend can be seen in how organizations offer and deploy applications to their customers, such as through software as a service (SaaS). Cloud-based tools and infrastructure are also preferred for internal use due to their easier maintenance, lower costs, and scalability.
However, this shift isn’t without challenges. Although organizations are increasingly interested in incorporating more artificial intelligence (AI) and machine learning (ML) capabilities in their products and workflows, cloud infrastructure security and application security remain critical areas of focus. Ultimately, ensuring the integrity and availability of internal and publicly accessible applications is paramount to business continuity, and maintaining the confidentiality of sensitive business and customer data is critical to avoiding costly breaches and regulatory noncompliance. As such, cloud infrastructure configuration and application security concerns are often the biggest hurdles for organizations when shifting to cloud-based environments. Properly addressing these concerns can significantly boost the growth and adoption of cloud-based software development and delivery.
Cloud-native application development vs. traditional application development
Cloud-native is an approach to building, deploying, and managing modern and scalable applications in cloud environments, such as public, private, and hybrid clouds. There are five characteristics of cloud-native applications.
- Microservices: Microservices refer to an application that is composed of loosely coupled and interdependent services or modules. Each service references its own data, and isolates and packages its dependencies, allowing changes without impacting the entire system. This framework improves flexibility, supports modular development, and allows for independent deployment of microservices.
- Containers and orchestration: Cloud-native applications encapsulate code and dependencies within “containers.” This keeps microservices from interfering with each other, but it requires proper orchestration to make the system scalable and optimal.
- Infrastructure-as-code (IaC): IaC automates platform provisioning, ensuring the same environment is generated every time it deploys, avoiding manual configuration and aiding automation. Popular tools include Azure Resource Manager, Terraform, and Ansible.
- APIs: Microservices in cloud-native applications communicate using clearly defined application programming interfaces (APIs), which uphold precise agreements between services that allow for controlled information flow in support of application functions. Essentially, APIs help unify communication, enhance data accessibility, and enable autonomous scalability.
- DevOps and continuous integration/continuous deployment (CI/CD): Cloud-native development relies on integrated development and operational workflows to speed up software development, delivery, and operational procedures. These workflows can include continuous and automated mechanisms for software development and delivery, known as CI/CD, which tighten the workflows and enable multiple releases per day. Application security testing can be added to these DevOps workflows to achieve DevSecOps, boosting the overall speed and effectiveness of security testing by accomplishing it early in the software development life cycle to reduce costs, eliminate risks, and accelerate time to market.
The adoption of new technologies and methodologies across software development and cloud environments, and a continued focus on the speed and scalability of releases, can result in increased development complexity. It can also expand the potential attack surface for applications in ways that can make risk assessment and mitigation more complicated.
Security challenges of cloud-native applications
Open source and third-party components
While traditional security focused on the perimeter defenses of networks and production environments, cloud-native applications require a more proactive approach. This includes detecting weaknesses in proprietary code, like cross-site scripting errors and opportunities for SQL injection, and identifying vulnerable open source software dependencies, which can introduce software supply chain security risks. Organizations need to be aware of all the open source and third-party components in their apps, as well as any associated security vulnerabilities, and have a plan to mitigate them as soon as possible.
An expanded attack surface due to AI-generated code
DevOps workflows can expand the attack surface though the use of automation and the CI/CD infrastructure. Container images, often used in cloud-native applications, can include third-party and open source software with vulnerabilities. Misconfigured IaC templates can automatically propagate vulnerable conditions or scale insecure environments. Leveraging technologies like generative AI to write code expands the attack surface further, because many such tools were trained on code that might not have been written using secure practices, or it might reference vulnerable third-party libraries.
Organizations must accelerate and transform their application security programs to keep pace with this evolving landscape. And sustainable application security practices are crucial for development teams. Developers need tools and processes that enable security scanning early in the development process, provide instant risk feedback on code commits, and offer usable remediation advice. Workflow automation, scanning efficiency, and a unified user experience with prebuilt integrations are also important.
Cloud-native applications demand scalable security solutions
Security solutions should support the scalability that comes with cloud-native applications and DevOps workflows by allowing for bulk onboarding of applications and branches within source code management repositories. The results of application security tests should be aggregated in real time to provide a comprehensive risk perspective across cloud environments and software types.
This is where a unified SaaS platform, like the Black Duck Polaris™ Platform, plays a vital role. It centralizes the configuration and review of static application security testing (SAST), software composition analysis (SCA), and dynamic application security testing (DAST); offers accurate scanning of proprietary code and open source dependencies; and validates exploitable conditions that manifest during runtime.
Real-world examples demonstrate how such platforms can help organizations with limited security resources manage their application security challenges. For instance, a large European wholesaler undergoing digital transformation successfully integrated Polaris within 10 days, enabling comprehensive security testing and management across hundreds of applications and developers, improving security practices and adoption among development teams.
As organizations shift to cloud-based development and deployment, a scalable security tool like Polaris that supports cloud-native applications and DevOps workflows can provide comprehensive security testing and management, which allows organizations to manage their AppSec challenges effectively.
- This blog post was reviewed by Steven Zimmerman.
Build security into your DevSecOps progam without impeding velocity
Learn how the Polaris platform can help you scale your DevSecOps program
Continue Reading
Key insights from Black Duck’s 2024 Global State of DevSecOps report
Oct 08, 2024 / 5 min read
The cybersecurity landscape - A discussion of future state and AI with Dr. Lisa Bradley
Feb 21, 2024 / 1 min read
