Secure cloud-native apps and APIs at the speed your business demands
The cloud-native development model entered the mainstream in the recent years, with technologies such as microservices and serverless computing, containers, APIs, and infrastructure-as-code (IaC) at the forefront of this trend. Thanks to these emerging technologies, organizations can build and run their apps fast, in a distributed manner and without reliance on physical hardware infrastructures. But while this flexibility helps save time and money across the entire software development life cycle (SDLC), it does not come without a security price tag.
Security concerns for cloud-native applications
Securing cloud-native applications requires a full understanding of the interfaces being exposed by the microservices to the various consumers, as well as a proper security configuration and running of the container images, for example. Organizations with internally developed cloud-native applications faced a variety of security incidents in recent years, with the leading causes being insecure use of APIs, vulnerable source codes, and compromised account credentials.
Two key concerns of deploying and managing cloud-based apps are the enlarged attack surface and the greater complexity. As developers quickly spin up cloud-native (serverless or container-based) workloads, more attack surfaces will be exposed. Every function, API, and protocol in a cloud-native application presents a broader potential attack vector. In fact, in ESG’s survey on recent security incidents, insecure use of APIs was shown to be the leading reason for the cloud-native app stack’s susceptibility to attack.
The cloud-native architecture also adds complexity to security governance and control as organizations must consider the multiple permissions, authentication, and access management issues. As developers increasingly use IaC, there is a higher chance for IaC template misconfigurations due to coding mistakes. Unfortunately, errors such as critical data leakage and unauthorized access to apps and sensitive data can’t be detected until it’s late in the cycle. This makes it more challenging and time-consuming for organizations to manage.
Traditional AppSec tools can’t keep up
Traditional application security testing (AST) tools were not designed for cloud-native apps, and therefore cannot provide adequate coverage, speed, or accuracy to keep pace with the demands of these modern applications. Legacy AST tools have poor visibility into modern app development and deployment architectures, as most API and serverless function calls are event-driven triggers, and some functions don’t have a public-facing endpoint or URL. While some vendors may tout best-of-breed static scans for cloud and serverless applications, the truth of the matter is that scanning code with limited to zero context is not an effective AST solution.
According to Gartner’s latest report on enabling cloud-native DevSecOps, an overwhelming 70% of teams use static application security testing (SAST) tools in development, and web application firewalls (WAFs) and app monitoring tools in production. The report also showed that newer tools such as API security testing, IaC scanning, and interactive application security testing (IAST) are increasingly used during development and testing stages of the SDLC.
But effective API security can’t be done by merely protecting and blocking vulnerable APIs with some web firewalls and monitoring tools. API-based apps need to be treated and managed as a complete development life cycle of their own. Just as the software app development life cycle goes through upfront planning and design, so must the API life cycle. There needs to be proper API design with API polices built into an organization’s overall business risk and continuity program.
Organizations must also perform some internal housekeeping and build an inventory of all the API-based apps that can be used for risk assessment, classification, and quality control purposes. Ultimately, the goal is to focus on API-based apps that have the highest risk factors, and time and expert resource constraints.
Continuous testing and verification are a must
The next step is most important in my opinion, and the missing link in today’s API security. Effective API security practices should include the ability to continuously test and verify vulnerable APIs (including custom, open source, and public-facing APIs) in real time. It is not enough to have an API tool that can discover all the APIs for each application and put up a firewall to allow traffic to access the API only if it adheres to a defined risk policy, for example. A better API strategy would expand API discovery capabilities to include dynamically testing, verifying, and triaging continuously during integrated application tests at runtime compilation with other open source and third-party codebases and APIs.
This is the key essence of effective API security strategy in my opinion. An organization needs the ability to quickly identify and proactively test and remediate the apps with highest risk (as defined by its security policies and API risk classifications) before they go into production release. An API risk classification system can use criteria such as the application’s exposure (internal- or external-facing apps), the types of information it handles (e.g., PII/ PCI-DSS payment related), the record size that the app manages (which can get into thousands and millions), and the cost of data breaches, disaster recovery, and business continuity impact.
Gartner’s most recent cloud-native survey found that organizations are incorporating other AST solutions such as software composition analysis (SCA), IAST, and API testing in addition to SAST and WAF. Modern application security testing solution such as IAST can help alleviate the burden of conducting security testing in DevOps environments, as it doesn’t require additional scans, triaging, or verification that adds time and test cycles to the continuous pipeline.
How Synopsys can help you secure your cloud-native apps
An advanced IAST tool such as Seeker® by Synopsys is unique and useful in securing cloud-native apps. It can detect, test, and validate all the inbound and outbound API calls, whether they are API calls your app declares or callable APIs you are not testing. It also tracks and tests for commonly leveraged serverless functions such as AWS Lambda and Azure Functions without adding additional scan cycles and friction to the continuous pipeline.
Everything is done autonomously in the background by the tool, while the normal development and QA test workloads are carried out by the teams. DevOps and security teams get a highly interactive and visual map of all the critical and sensitive dataflow, including vulnerable paths and potential sensitive data leakage. Development teams get real-time information—from stack traces to detailed line of code, as well as remediation guidance.
Unlike traditional dynamic scanners that require API specifications to perform security testing, with Seeker IAST, there is no reliance upon OpenAPI or Swagger files. Seeker can discover all callable APIs using its instrumentation agents and can generate OpenAPI docs based on Postman or HAR files. It can track and detect all application requests and responses with payloads in JSON, XML, or in newer formats such as GraphQL, gRPC, and Kafka. And it provides a catalog of all the endpoint calls including untested, callable APIs and URLs.
In addition to Seeker IAST, Synopsys offers complete, end-to-end scanning technologies that help secure your cloud-native applications. Code Sight™ lightweight SAST empowers developers to instantly detect and fix vulnerable code in their IDE. Coverity® static analysis, and Black Duck® software composition analysis helps secure IaC, containerized apps, and images. Synopsys provides a comprehensive portfolio of app security testing tools and services that can help your teams find and fix critical vulnerabilities such as access and authentication issues, cross-site scripting, and various types of injections quickly and painlessly.
Download the Gartner 2022 “Critical Capabilities for Application Security Testing” report to learn more about the Synopsys portfolio of AST tools and why Synopsys received the highest score for the cloud-native application use case.
This post was originally published in https://www.synopsys.com/blogs/software-security/gartner-critical-capabilities-appsec-cloud-native-apps/