Traditional app security vs. cloud-native

Evaluating application security in the age of cloud-native

Erez Yalon
© Shutterstock / Ruslan Grumble

As digital transformation efforts advance and cloud-native becomes more popular, the role of application security within cloud-native architectures needs to become a priority. So, when looking at how to best secure these complex, cloud-native applications, where should development teams start?

The term ‘cloud-native’ has been a buzzword in the software development space for years. Recent evolutions to the architecture solution though, have not only helped it become the default for organisations when it comes to building and running their applications, but have also allowed it to shrug off this outdated moniker.

This evolution has been a marked shift in the software development space, and with cloud-native boasting significant benefits for those designing, building and deploying applications – such as increased flexibility, scalability, ease of management, lower cost requirements and a faster time to market. It’s no wonder why the popularity of cloud-native application development has soared then, with our recent survey finding that well over half (59%) of developers have somewhat or significantly increased the amount of app development they’re doing in the cloud over the last year.

SEE ALSO: “AIOps will play a key role in enhancing the security of IT infrastructure”

Despite the benefits however, there are pitfalls to its use. Namely, the fact that cloud-native applications are an intricate and layered attack surface which are both under-secured and widely misunderstood. With containers, APIs, infrastructure as code (IaC), microservices and other cloud-based components compromising large portions of these apps, this complexity means traditional testing methodologies aren’t enough to ensure security.

So, when looking at how to best secure these complex, cloud-native applications, where should development teams start?

Traditional app security vs. cloud-native

To be able to truly secure cloud-native applications, it’s important to understand the nuances between ‘traditional’ and cloud-native application security, or AppSec.

In general, traditional AppSec is more contained, yet, with cloud-native there are more components and connections interacting and ‘speaking’ to one another behind the scenes. While this makes for more dynamic and scalable applications, it also creates an exponentially larger attack surface. For example, adversaries can now try to gain access into AWS, Kubernetes or Docker environments, then move on to other interconnected technologies, such as APIs, if they don’t initially succeed. This presents an issue for developers, as not only are they now tasked with learning to build apps in a new environment, but they must also evolve the way they test for security vulnerabilities.

Alongside this, there are a number of specific intricacies which present challenges to securing cloud architectures. Firstly, where security teams used to simply scan their code using application security testing solutions, cloud-native apps require a shift in approach due to their complexity. Given there is code everywhere in these apps to ensure the technology systems can speak to one another, this now means there are configuration files that need to be evaluated.

There is also the fact that cloud-native and IaC – provisioning and configuring an environment through code instead of manually – increasingly come hand in hand, with IaC offering a major opportunity for businesses wanting one single holistic approach to app development.

It does however, come with challenges. When establishing IaC, for example, an organisation’s infrastructure is part of a set of configuration files which need to be scanned as part of the overall code. This is a tough task for any security testing solution and presents one of the biggest obstacles in application security – making the connection between code, infrastructure, and configurations.

The ownership of security has changed hands too. With dispersed code comes dispersed security responsibilities with developers, DevOps and IT teams now needing to take responsibility together. This shared ownership may be complex, but it’s necessary given how it only takes one small mistake for an adversary to take advantage.

Finally, application security has always seen tension between the shift left and shift right approaches. This will only become more evident with the complexities of cloud-native, as each approach brings unique pros and cons.

With the shift left approach to security seeing earlier results in the testing process, it often leads to cheaper and faster remediation cycles. Shift right results come later in the testing process, the benefits of which include a lower percentage of false positives and actionable results. But what is the ideal approach today? While shift left is often recommended, it’s vital that security is embedded within all stages of the software development process no matter which approach is chosen.

SEE ALSO: DevOps and Security – how to build more than another stage into software processes

Employing the best cloud-native security practices

As digital transformation efforts advance and cloud-native becomes more popular, the role of application security within cloud-native architectures needs to become a priority – and currently, a shift is needed in this regard, with our aforementioned survey finding that one in six developers aren’t performing any security testing at all when building cloud-native applications. When it comes to best practices to overcome the challenges mentioned, it’s important for developers to think about the following three things:

  1. Testing code from the first line. No portion of a code base is inherently secure and every line needs to be inspected from the beginning of development to ensure vulnerabilities are found and addressed.
  2. Testing the IaC. IaC has a major influence on app security and the same careful steps to testing and security need to be taken with IaC also.
  3. Ensuring each component is secure. It’s vital to test everything, including third-party components and APIs, as it’s very common for vulnerabilities to exist into these environments. A ‘trust and verify’ approach is paramount, meaning that organisations trust but make a concentrated effort to also verify and validate third-party solutions and components before using them. As we continue to build applications from a diverse set of components, blindly trusting that third-party technologies are secure is a recipe for disaster.

By taking these measures, developers and businesses can properly secure their cloud-native applications and their application security testing processes are streamlined. Using such an approach, organisations can ensure they’re seeing the full benefits of the technology they’re developing, while significantly lowering the risk.


Erez Yalon

Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez is responsible for maintaining Checkmarx’s top notch vulnerability detection technology where his previous development experience with a variety of coding languages comes into play.

Inline Feedbacks
View all comments