Amid the Software Engineering Paradigm Shift, How Must AppSec Evolve?
Attitudes around software engineering have evolved, posing a key paradigm shift for organizations regarding how they think about and manage software engineering functions. As cloud adoption continues to accelerate, software engineering is taking a front seat, commanding an even bigger role in business growth and success. This is especially prevalent today as organizations compete with each other to deliver greater customer value, faster and more efficiently.
Speed is paramount and frictionless application development provides organizations with the agile foundation they need to meet ever-changing customer demands. As a result, organizations are constantly looking for ways to accelerate engineering and remove velocity blockers, including increased usage of third-party tools, open-source software and automated build and deployment pipelines. In fact, Palo Alto Networks’ recent State of Cloud-Native Security report found that more than 75% of respondents said they’re deploying new or updated code to production weekly, and almost 40% are committing new code daily.
Software Engineering Complexity Creates More Security Challenges
Adopting new technologies, rather than self-development, is a simple solution to the problem of doing more with less. This, in turn, creates an extremely dynamic software engineering landscape that includes a multitude of different languages, frameworks and capabilities. The downside? Implementing these new technologies inadvertently makes application security—the security umbrella over the engineering ecosystem—much more complex and challenging to ensure, as they significantly expand the organization’s attack surface.
For example, today’s engineering organizations have the freedom and independence to implement whichever engineering technologies, frameworks and third parties they consider to be the most suitable for serving the business needs. Modern engineering technologies have undergone a significant evolution, to the point where they can be adopted and implemented into production within minutes. This, coupled with the fact that most organizations do not enforce security approvals or procedures prior to implementing new engineering technologies and frameworks, harms the security posture of the engineering ecosystem. Commonly used engineering technologies and tools often contain a significant number of vulnerabilities and misconfigurations that typically grant an excessive amount of permissions and do not follow any structured deprovisioning process – making the expansion of the attack surface perpetual. The only way to prevent these from becoming an even larger vulnerability is by creating dedicated solutions to detect them before it’s too late. The failure to successfully identify these flaws can leave organizations open to the risk of attack with devastating consequences on their operations, customers and future success.
Bad actors are beginning to reap the benefits of these oversights, often with significant consequences for their target. From SUNBURST, CodeCov, Travis-CI and CircleCI, it’s clear that attackers now understand the impact of abusing software delivery processes and systems to gain access, exfiltrate confidential data and run malicious code in production environments.
AppSec Evolution for Securing the Modern Engineering Ecosystem
AppSec has traditionally focused on embedding secure development practices and preventing security flaws in code and artifacts from making their way into production. While this is still a critical component for AppSec, the fact that the engineering ecosystem has become a lucrative target for adversaries has expanded AppSec to include the posture of the engineering ecosystem – in addition to the traditional focus on the security of the code and artifacts flowing through it. Despite this considerable growth in scope and complexity, AppSec is forced to increase velocity as it shifts from being a blocker to a guardrail.
To address this challenge, here are five guiding principles AppSec practitioners are adopting to implement effective AppSec programs around the modern engineering ecosystem:
1. Visibility: To apply an effective security umbrella over today’s complex engineering ecosystem, security must obtain a comprehensive, continuous understanding of the “Technical DNA” of the engineering ecosystem, conduct informed conversations around security with engineers, and apply security controls and measures which are tailored to the organization’s technical stack.
2. Speed: Engineering drives production timelines in the cloud, and security can no longer serve as a roadblock by restricting the rate of progress. Security controls and measures must move at the same speed as engineering.
3. Integrability: Seamless integrations of security controls and solutions in day-to-day engineering frameworks will play a key role in embedding security from the start. Integrations will also enable security to operate more easily at the pace of engineering.
4. Enablement: Security must adapt to support engineers rather than restrict the adoption of new technologies and frameworks. It must be leveraged as a tool alongside these new technologies to better support engineering timelines.
5. Focus: Security must establish an effective signal-to-noise ratio. This means that AppSec strategies and processes must deliver contextualized and actionable insights for new risks and critical vulnerabilities, allowing engineers to focus on what matters and reduce potential high-impact threats.
As organizations continue to position software engineering and application development front and center of their business strategy and success, security must evolve to become more adaptable and agile to secure the engineering ecosystems of today, and tomorrow.
