Embed Security into Your Modernized Applications
By Gadi Naor, CTO and Co-Founder of Alcide
Companies may be feeling pressure to modernize their legacy, monolithic applications for many reasons: some may wish to operate on a larger scale or to increase innovation velocity by enabling teams to work in parallel. Some companies will build new applications from the ground up, and others will take an incremental approach to modernization by breaking up their monolithic applications and creating modernized blocks one piece at a time.
No matter what strategy your company takes on its journey to modernization, it is imperative that the modernization efforts think and embed security into the development pipeline, employ the correct technologies to assist your team, and create the correct culture and processes to ensure not only effective and timely development, but robust security for your application.
Kubernetes, as a cloud native application vehicle, would be the best infrastructure to invest in. Not only is Kubernetes a powerful and flexible technology, but it also offers a very rich ecosystem and a wide range of tools required to build, secure, operate, run, and scale modern applications. Kubernetes, from a security perspective, can also be harnessed to bolster the overall security of companies modernizing applications. Such companies will be able to establish and implement a well-defined security posture for the various application microservices, runtime security configuration checks, workload protection, Kubernetes infrastructure user and entity behavior monitoring, and secure the cloud environments in which Kubernetes clusters are provisioned.
Why bake in security so early in the modernization process? Companies need to keep application security at the forefront of their planning to mitigate security issues that would delay GA or expose the application to threats in production. After all, containers, Kubernetes, and cloud native are new territory for many organizations, so integrating security with the development process and organization from the start will help organizations avoid security pitfalls later on.
Build Your Security Process from the Beginning
You don’t want to hit your go-live date and discover security was overlooked. This is important for any application, but even more critical when modernizing regulated applications. Failing a security compliance test can cause a project to miss its GA date, therefore a security mindset needs to be applied to the development team and process to address security needs as early as possible.
Security and Your Delivery Pipeline
Your delivery pipeline is where you build your machinery and where you plug in your building blocks. This is where you should implement your security infrastructure. In particular, you want to make certain that your supply chain is secure, and that the components used in your code are not vulnerable. This would normally be the place where code scanning is implemented into CI, scanning your infrastructure-as-code (IaC scan) and security testing (SAST/DAST).
It is quite important to make sure attention is given to resolve discovered issues. Otherwise, security tools would just keep piling up more findings.
Build Your Containers Right
With containers, there is a huge difference between vulnerable container code and exploitable container code. It is possible for containers to consist of security flaws in superfluous code that is never executed in production. This vulnerable but not exploitable code will generate time-wasting security alerts when scanning container images for vulnerabilities. Much of the benefit you can get from containers comes from how you build your container images. A well-defined practice for building container images will eliminate superfluous code that would generate false positives during security image scans, and save developers time from hunting and mitigating vulnerabilities that were not a threat.
Support Your Security with Automation
Substantial delivery acceleration occurs when security tools, like those mentioned above, are integrated into the build and delivery pipelines, as well as integrated into the development processes. Development process integration means there are well-defined security quality metrics and events that break builds or pause delivery, and that there is full life cycle management of newly discovered security issues as well as existing ones. Piling up security findings is known to be a failing practice. A true commitment to embed security into modernized applications involves people, technologies and processes to triage, prioritize and fix security findings.
Automation enables you to set standards and prevent drifts in your coding practices that would introduce vulnerabilities down the road, such as changes in access rights to certain workloads, well before those changes even get to production.
Your Culture Also Needs to Be Modernized
Application modernization involves changes in how people leverage cloud-native technologies to design, build, operate, secure and run applications. From a security standpoint, there’s a huge advantage with appointing a security lead that is primarily or purely focused on cloud-native security aspects of the modernized application. This creates visibility into what the developers are building, enabling security stakeholders to contribute their requirements and perspectives before the application is generally available. Having and making all parties accountable for security ensures software is delivered with the best security posture possible.
Another benefit of having a designated security tech lead is to build some know-how about security practices that other members of the development team can leverage when they have questions. It can be draining and inconsistent to try to depend on every team member to know and handle the security aspects around their coding. Instead of each member individually reinventing the wheel, which has a steep learning curve where security is concerned, they can tap the wisdom of the designated security lead.
Conclusion
Modernizing software by moving from monolithic applications to microservices, or building cloud-native greenfield applications by leveraging cloud-native infrastructure such as containers and Kubernetes is not a trivial task. Use of novel technologies and processes create new and unforeseen security challenges. Carefully building minimal containers for each microservice ensures microservices are deployed with hardened configurations and network segmentation as needed. Plugging the various security configuration checks into automation processes and structuring your teams with a dedicated security lead will help to continuously minimize security risks and prevent potential security drifts.
About the Author
Gadi Naor is CTO and Co-Founder of Alcide. Gadi Naor has 18 years of engineering experience, from kernel-based development through leading development of cybersecurity products. He started his professional career at Check Point. Gadi then joined Altor Networks, a pioneer in virtualized data center security, later acquired by Juniper Networks. Prior to Alcide, Gadi co-founded Fitfully, at which he served as CTO. Gadi holds a B.A. in computer science from the Technion Institute of Technology. Gadi can be reached online at (gadi@alcide.io, LinkedIn, Twitter) and at our company website https://www.alcide.io/.