Over the past year, we’ve seen a surge in digital transformation, reflecting the acceleration in many companies’ release of multi-year technology. The use of multi-cloud environments and cloud-native architectures based on microservices, containers, and Kubernetes is at the heart of this transformation. While these approaches undoubtedly help DevOps teams drive digital agility and faster time to market, they also introduce new application security challenges that pose a severe risk.
A Cloud Vision
Cloud platforms represent the fundamental level on which organizations initiate DevOps-based digital transformation initiatives. These environments foster cost efficiency and greater IT flexibility and enable companies to orient themselves in response to changing market needs quickly. As the demand for faster innovation grows in every industry, companies are investing more in cloud-native architectures. Containers and microservices break down application functionality into more manageable parts that can be quickly built, tested, and deployed, which helps teams accelerate innovation.
Cloud-native architectures also offer the flexibility to move workflows between different platforms to ensure that their environment is always the best fit for their needs at all times. However, this cloud-native era comes with new challenges. DevOps teams may not have the tools or resources necessary to manage the additional layer of complexity and identify vulnerabilities in code before they are exposed.
This is a particular challenge given the widespread use of open-source libraries. These libraries help accelerate time-to-market by eliminating the need to write each line of code from scratch. However, they also contain countless vulnerabilities that need to be continually identified and eliminated. It’s not easy in a dynamic cloud-native environment, where change is the only constant.
Legacy Tools Create Blind Spots
Our research highlighted further concerns. These legacy tools were designed for a different era, characterized by static infrastructure and monolithic applications. In those environments, a single monthly scan was sufficient to identify most vulnerabilities. Today, container life is measured in hours and days. Those tools cannot keep up with the current pace of change. Additionally, they usually can’t see inside containerized applications and can’t spot flaws within their code.
Consequently, even the most well-documented vulnerabilities. At the same time, 85% of security experts surveyed want DevOps and applications teams to take more direct responsibility for managing vulnerabilities. There is nothing wrong with this: in fact, many consider DevSecOps and shift-left as the best and most cost-effective way to mitigate risk. However, the existing tools and processes are disappointing these teams.
Professionals don’t have time to perform manual scans, often lack the skills to take responsibility for security, and can’t detect critical vulnerabilities quickly enough. Some DevOps teams even ignore security checks altogether, while others refuse to collaborate with security teams because they are concerned that these steps will slow time to market. As a result, more vulnerabilities are creeping through secure networks and into production environments.
Not Fit For Purpose
These findings underscore that traditional security approaches and manual impact assessments are no longer fit for purpose in dynamic cloud-native environments. Real-time insights are critical when containers start up and shut down in seconds, and dependencies between microservices are ever-changing as they cross the boundaries between cloud platforms. Legacy vulnerability scanners offer only a static point-in-time view and often distinguish between potential risk and actual exposure.
This can lead to application security and DevOps teams being inundated with thousands of vulnerability alerts every month, many of which are false positives. These legacy tools not only fail to keep pace with the rapid pace of change in containerized environments but are also guilty of slowing the transition to DevSecOps by focusing on just one phase of the software lifecycle.
The lack of context makes it difficult for teams to find and apply suitable patches, and teams cannot find vulnerabilities quickly enough to minimize the risk once the code is deployed. Combine the volume of false positives and alerts with the lack of context offered by legacy tools, and you have a recipe for countless wasted hours and increased application security risk.
Automation Is The Future
To overcome these challenges and eliminate the manual burden on their teams, organizations need to identify application exposures automatically. This is possible if they can automate tests at runtime without configuration or additional effort on the part of DevOps teams. By combining vulnerability data with the knowledge of the runtime environment, such as whether the code in question is exposed to the Internet, DevSecOps teams can gain all the context they need to understand the cause, nature, and impact of the problem in real-time.
In this way, teams can efficiently reduce risk and accelerate innovation at the speed of business. The only way for security to keep pace with modern cloud-native environments is to replace manual deployment, configuration, and management with a more automated approach. This will not only be critical to safeguarding organizations from the threats they face in today’s cloud-native world, but it will also enable them to fuel innovation-driven growth in the new post-pandemic era.