As DevOps becomes even more agile, rapid application deployment will pose challenges. In this guest post, Imperva’s Kim Lambert explains how it’s still possible to reduce risk with a multi-layered, integrated security approach.

In today’s fast-paced DevOps and changing business environments it’s critical to understand the need for a consistent security approach that can keep pace.

Priorities are shifting and applications are becoming more fluid, living on-premises, migrating to the cloud and sometimes even back on-premises. But there are still ways to mitigate risk while still enabling agility and speed of deployment.

The State of Agile Development

In a recent report by OverOps, more than half of 600 software professionals (59%) said they release new code or features anywhere from bi-weekly to multiple times a day, which means more than ever there’s an urgency to push code right into production. About three-fifths of those teams are taking advantage of DevOps automation in order to do so.

Meanwhile, 19% follow a quarterly or less frequent cadence, with some teams releasing even more slowly, especially when it comes to legacy applications.

Cloud Adoption

Best practices in the cloud require teams to be just as agile with their deployment methodologies as they are with the consumption of and security of those resources. Not surprisingly, the majority of enterprises have a multi-cloud strategy, with deployments combining one or more public clouds with a private cloud or with on-premises infrastructure. And over recent years, the number of cloud providers used has averaged just over three for public cloud and just under four for private cloud.

However, despite the overall cloud transformation trend, some enterprises as of late are moving systems they’ve migrated to the public cloud back onto their private infrastructure or on-premises, which they feel gives them more control.

No matter where applications reside, it’s important to remember from a security standpoint that despite how fast applications are being rolled out, and even if you have no idea where exactly they’re going to live in the future, you’re still on the hook to protect them.

Security for the Cloud

Despite the benefits of the cloud, we know data breaches resulting from cloud misconfigurations cost businesses nearly $3.18 trillion in 2019. The COVID-19 pandemic is having huge effects on the economy, on social lives and on our work lives. With so many people worldwide working from home, the crisis has actually focused even more attention on cloud security and the resilience of its infrastructure to stand up to cloud security threats.

But the cybersecurity vulnerabilities inherent to cloud storage are nothing new. Many companies were still in the process of improving their cloud security when the pandemic hit, but have now been forced to accelerate their plans. And improved cloud security can actually save businesses up to $1.4 million per cyber-attack. Yet, even more challenges remain.

Key Security Challenges

Most of Your Software Isn’t Yours
Attackers gain access to critical data by exploiting software vulnerabilities in web applications. But to complicate matters, the reality is that most of the software being developed isn’t actually yours - it’s software sourced from outside vendors and it often contains vulnerabilities. According to Sonatype, over 300 billion open-source libraries have been downloaded, and one in eight of them contain known vulnerabilities.

But a trade-off exists between quickly delivering application releases through open-source libraries vs. spending time and resources fixing software vulnerabilities that can prevent an on-time release.

Discovering Vulnerabilities Takes Time
Over 90% of IT professionals are concerned about a cloud-related data breach, yet almost as many, 84%, are concerned that their organization has already suffered a major cloud breach they have yet to discover. And it takes about three weeks to recognize application incidents through discovery, not including mitigation and resolution time.

From there, frighteningly enough, Veracode says that with change and churn in organizations - where security training may or may not be present - it takes almost 300 days on average to resolve discovered high-severity vulnerabilities.

Data Breach Prevention
CyberEdge’s 2020 CyberThreat Defense Report asked respondents what inhibits them from defending their respective organizations against threats. While lack of skilled personnel and low security awareness unsurprisingly top the list, there’s also a big connection among the next three issues: too much data to analyze, poor automation of threat detection and response processes and lack of contextual information from security tools.

Not enough continuous monitoring and analysis exists to detect threats early. The research suggests a lack of effective large-scale data collection and analysis to detect anomalies and to track the course of attacks, automating workflows and responding accordingly.

Security professionals surveyed in the report believe monitoring and managing the entire application security stack from one platform would save them time and simplify workflows. But many just don’t have that today - instead, they have multiple endpoint solutions provided by different vendors. Disconnected approaches may mitigate risk at the edge - the application and the database - but may make a consistent security strategy more difficult.

To that end, there are five other best practices to follow for a more comprehensive security approach:

1.   Ensure Executive Alignment
It’s critical that both CIOs and CISOs are working together to address business risk. If they’re not, you may have applications and technologies being deployed but not necessarily implemented or used. Alignment where all executives have good pre-production vulnerability management allows for a good foundation. Plus, having security defined by actual metrics is also key to analyzing your current position, any gaps, and your progress.

2.   Secure Applications at the Edge
A lot of times security attacks originate from botnets and are used to initiate Distributed Denial of Service (DDoS) attacks. These same botnets are often used for harvesting and scraping (which can lead to a cyber criminal discovering vulnerabilities within your website) and for crafting OWASP related attacks like SQL injections or cross-site scripting.

The “edge” also provides a perfect place to intercept malicious attacks that target APIs and to prevent account takeover attacks where credential stuffing leads to malicious actors reusing “stolen credentials” from large data-breaches to access user accounts.

3.   Explore Security by Default
In legacy environments with no technical support to fix bugs applications can often sit exposed to security threats that target vulnerabilities for long periods of time. For many organizations, instead of fixing bugs during the development process, an effective strategy is implementing self-protection for applications during runtime in order to push code into production fast. Protecting during runtime is also extremely helpful in securing against zero-day vulnerabilities that exist in open-source, third-party software.

4.   Actionable Insights
One of the biggest issues facing organizations is the challenge of dealing with digital exhaustion or alert fatigue, where security analysts are overwhelmed by the quantity of security alerts to a point where they can’t effectively triage. At that point, a security analytics tool is no longer providing any value.

Utilizing machine learning to reduce an unmanageable number of security alerts into a few manageable ones can provide value in terms of creating actionable steps to take when attacks target your organization. It’s a bonus if it provides a narrative for actionable next steps based on a single, correlated view across your cloud and on-premises deployments.

5.   Embrace Automation and DevSecOps
Many modern applications are deployed in the cloud and rapidly scale – they can be deployed on “Infrastructure as Code” such as “CloudFormation” and “Terraform.” Utilizing this technology helps you not only easily onboard applications and avoid the tedious process of migration, but also to propagate security rules.

As DevOps becomes even more agile going forward, quickly churning out applications that need protection, continued movement to the cloud and more complex, distributed environments will still pose a challenge. But it is possible to reduce that risk with a multi-layered, integrated security approach.