Cloud native applications are designed and built on the cloud. But is your security incorporated into the cloud native lifecycle by default? QA Director of Cyber Security, Richard Beck, highlights the importance of cloud native security and "shifting left" as early as possible.

Security professionals have argued that security should be a consideration at the outset of application development, irrespective of the environment. Security by design or by default, as early in the development lifecycle as possible, is a long-held principle of application security. "Shifting left" is the term associated with testing for defects early in the cycle. But asking a security professional to shift left to account for cloud native security would catch many security folks by surprise.

Mature development and DevOps teams have adopted deployment through containerisation, with some standardisation of vulnerability management to help automate the process. Many decide to scan early in the delivery pipeline to minimise the opportunity for security weaknesses disrupting the continuous application delivery process. Well, that’s the idea, in principle. The State of Cloud Native Security 2020 report highlights that 45% of highly prepared companies have embedded security into DevOps processes, and 41% integrate security in at least four stages of the development lifecycle.

Context is a key component of understanding any vulnerability security posture and cloud native security is no different. Increased flexibility for homeworkers using cloud services as a result of Covid has added to an already complex security configuration. Without context, what do we secure? For example, am I using a corporate or private Microsoft One Drive service? Existing cloud security techniques can easily become outpaced when we look at cloud native security threats.

This should make security professionals sit up and take stock of emerging cloud native technologies and at its core, the principle of application deployment via containers. Accelerating left, and understanding application layer security deeper than OWASP, is an imperative to securing cloud native environments and enabling successful digital transformations in the enterprise.

How do we work together to meet this challenge?

Collaboration with a new calibre of cyber engineer could be part of the solution. The cyber engineer or DevSecEng is someone who actually understands the code, a Linux native who is comfortable with serverless functions, microservices, and infrastructure as code. Someone who can work with APIs, know what’s running inside the container and apply security measures – but crucially can influence and communicate in a common language. This isn’t a typical DevSecOps person, who is likely to be drowning in automated security reports and researching vulnerabilities that no-one has the time to fix. The DevSecEng cyber engineer is cross-cutting, with the insight to champion machine learning (ML) for integrated high-fidelity cloud security tasks, leaving capacity to support the developer community understand the dynamic nature of the threat. Leaving more time to focus on the high-touch human security engineering tasks, for example, automating workflows to codify security countermeasures. The cyber engineer will also be tooling for advantage to protect the workload but be mindful of the flaws. For example, Kubernetes has become the go-to for cloud native resilience, but has become the Achilles heel for those too trusting in silver bullets.

Attacks on cloud native security services tend to be more difficult to achieve but can be devastating, often taking advantage of the very nature of the cloud native architecture to achieve the compromise. The latest Aqua security research shows an increase in organised attacks on cloud native environments. Here is what they had to say about the heightened threat:
“The attacks we observed are a significant step up in attacks targeting cloud native infrastructure. We expect a further increase in sophistication, the use of evasion techniques and diversity of the attack vectors and objectives, since the widespread use of cloud native technologies makes them a more lucrative target for bad actors. Security teams are advised to take the appropriate measures both in their pipelines as well as runtime environments, to detect and intercept such attempts.”

Accelerate to the left
Technical security practitioners not able to shift left will be left on the shelf. Now is the time to re-invent or rediscover, notwithstanding the new normal. To take stock of the multiple cloud environments and the trade-off between agility and the expected environmental complexity. According to the latest IDG Cloud Computing Survey 2020, 54% of enterprises' cloud-based applications moved from an on-premises environment to the cloud, while 46% were purpose-built for the cloud.

Plugging the gap in cloud native security will follow through the combined use of niche cloud native security vendors and applied skills. You need continuous security with the agility to test, test again and fix fast, crucially at a service layer. A word of caution though: watch out for your favourite AppSec tools being consumed into large tech vendor platforms, testing your agility and service dependencies.

Read the full article here