Critical AppSec Capabilities That Accelerate Cloud Transformation

Written by Sujatha Yakasiri, CSA Bangalore Chapter and Stan Wisseman, CyberRes

Cloud Technology is one of the fastest-growing technologies across the globe these days. Cloud adoption by organizations has increased exponentially especially during the covid-19 outbreak due to remote working culture.

According to a recent global research survey on "Cloud Security and Technology Maturity Survey" conducted by the Cloud Security Alliance (CSA) in collaboration with Micro Focus, CyberRes and the CSA Bangalore Chapter reveals that,

• 61% of organizations utilize some form of hybrid cloud, indicating continued use of on-premises in combination with the cloud.
• Other models such as public cloud only (18%), private cloud only (9%), and multi-cloud (9%) were less common.

While embracing cloud technology is regarded as a great move, it is equally important to understand nuances of different cloud services providers, technology limitations and Implementation challenges and most importantly security of the cloud and security in the cloud in short, shared responsibility model. From past couple of years, 79% of companies have experienced at least one cloud data breach; even more alarmingly, 43% have reported 10 or more breaches in that time.

Cloud application security is all about governance, tools, policies, and security controls that are put in place to protect data/information exchanged within the cloud environment and applications deployed to the cloud. In this blog we will try to discuss some interesting application security topics in Cloud Transformation journey such as DevSecOps, Cloud Native AppSec and Software Supply Chain.

Accelerating Speed of Security Testing at the pace of DevOps

Today, 75% of organizations deliver changes more than once per month, an increase of 14% over the past 5 years. But the speed of security testing has failed to keep up with the velocity of development. Hence, security must do a better job of keeping pace with the ‘everything-as-code’ era to transition from point of friction to enablement, without sacrificing quality.

Cloud DevSecOps heavily focuses on automating application deployment and infrastructure operations to produce harder, more secure, and more resilient applications. Cloud Native application development moves through the process of continuous integration and testing cloud-based services. It is very important to find right set of security tools that could easily get integrated into various cloud service provider’s CI/CD pipelines and help organizations to find the security vulnerabilities early in the SDLC.

Reducing risk through DevSecOps Automation

• Improved compliance: Anything that goes into production is created by the CI/CD pipeline on approved code and configuration templates supported by various cloud service providers. Dev/Test/Prod are all based on the exact same source files, which eliminates any deviation from known good standards.
• Automated testing: As discussed, a wide variety of security testing like SAST (static application security testing), IAST (Interactive Application Security Testing), DAST (Dynamic Application Security Testing), SCA (Software Composition Analysis), Infrastructure Configuration Scanning, monitoring etc. can be integrated into the CI/CD pipeline, with manual testing added as needed to supplement. Starting security checks at pipeline will slow down the process. To speed up this process and give immediate feedback to developers, it's advisable adding IDE security plug-ins and pre-commit hooks.
• Immutable Infrastructure as a code (IaC): CI/CD pipelines can produce master images for virtual machines, containers, and infrastructure stacks very quickly and reliably. This enables automated deployments and immutable infrastructure.
• Improved auditing and change management: CI/CD pipelines can track everything, down to individual character changes in source files that are tied to the person submitting the change, with the entire history of the application stack (including infrastructure) stored in a version control repository. This offers considerable audit and change-tracking benefits.

Agile Security for Modern and Cloud Native Application Development

By 2025, Gartner estimates that over 95% of new digital workloads will be deployed on cloud-native platforms, up from 30% in 2021. Cloud native computing is an approach in software development that utilizes cloud computing to “build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds”. Technologies such as containers, microservices, serverless functions and immutable infrastructure, deployed via declarative code are common elements of this architectural style.

Along with regular application code, it is very important for organizations to scope the security risks that are posed by these modern application development technologies like containers, microservices, APIs, serverless, infrastructure-as-code and other cloud-first technologies and integrate the relevant security checks as part of the SDLC.

For example, let’s look at container and IaC (Infrastructure as Code) modules, they provide an opportunity to find security risks before they are deployed, by testing for flaws as part of the CI/CD pipeline, driving far better efficiency. They reside as files in a source code repository as the rest of the app. Hence, these should be looked at dev-first tools and choosing right security tools which can integrate well into the developer flows like from IDE plugin itself and then part of CI/CD pipelines.

As per OWASP, the below cited are some of the security risks that might be possible in cloud-native applications if appropriate security measures are not taken care.

1. Insecure cloud, container, or orchestration configuration: Security risks could be publicly open s3 buckets, containers running as root, containers sharing resource with host (network interface), insecure infrastructure as code (IaC) configuration.
2. Improper authentication and authorization: Unauthenticated API access on a microservice, Over-permissive cloud IAM role, Lack of orchestrator node trust rules (e.g., unauthorized hosts joining the cluster), Unauthenticated orchestrator console access, Unauthorized or overly permissive orchestrator access
3. CI/CD pipeline & software supply chain flaws: Insufficient authentication on CI/CD pipeline systems, Use of untrusted images, Use of stale images, Insecure communication channels to registries, overly permissive registry access, using a single environment to run CI/CD tasks for projects requiring different levels of security.
4. Insecure secrets storage: Over-permissive pod to pod communication allowed, Internal microservices exposed to the public Internet, no network segmentation defined, End-to-end communications not encrypted, Network traffic to unknown or potentially malicious domains not monitored and blocked
5. Inadequate ‘compute’ resource quota limits: Resource-unbound containers, Over-permissive request quota set on APIs.

Modern cloud native application development calls for a high degree of automation to avoid flaws due to manual steps. How much of security testing is automated plays an important role though. A recent survey by SANS sponsored by Microfocus reveals that only 29% of respondents indicated that they have automated the majority (75% or more) of their security testing. A contributing factor to this is that only 52% of organizations automate testing of any kind. Before DevOps teams will accept automated security testing, organizations need testing discipline, automated test infrastructure, and pipeline workflows in place.

Securing Software Supply Chain to increase resilience

A software supply chain is anything that goes into or affects your code from development, through your CI/CD pipeline, until it gets deployed into production.

To meet the sky-high business demands like faster software development and shorter release cycles, developers tend to use open-source software because of the added benefits like free of cost, faster development, and ease of use. This has been the general practice in both proprietary software and community-built software.

Do we really know what percentage of our application code is comprised of open-source software? Most of the typical software applications are, on average, comprised of 85% open-source software.

Developers might want to import one open-source library as direct dependency to complete a feature, but if we look at the dependency spectrum, that directly used library might be dependent on 5 or 6 other open-source libraries. These are referred to as transitive dependencies in the code. Most of the opensource software is prone to security vulnerabilities as security community keep researching possible security vulnerabilities in the open-source software. Does our SCA security tools check for vulnerabilities in transitive dependencies? If so, what is the depth level it will analyse?

Let’s look at some of the recent hacks that shook the world.

• A recent SolarWinds Orion hack where hackers managed to inject malicious code known as Sunburst into Orion software by breaking into their build environment. More than 18,000 SolarWinds customers installed the malicious updates, with the malware spreading undetected.
• Apache Log4j/Log4shell hack which set the internet on fire was given CVSS score of 10/10. Logging is a fundamental feature of most software, which makes Log4j very widespread. Log4shell is a remote code execution (RCE) vulnerability that enables hackers to execute arbitrary code and take full control of vulnerable devices.
• Container & Orchestration vulnerabilities: A critical vulnerability in OpenShift allows remote attackers to gain privileges by updating a build configuration that was created with an allowed type to a type that is not allowed. Not only that, vulnerabilities in official base images, but insecure configurations in orchestration manifest etc. are also possible.

All the above-mentioned hacks/vulnerabilities are real wakeup call for the community to supply chain security risks. Hackers are spending their time and energy in identifying vulnerabilities in widely used opensource software, because they feel that it is the easy way to increase their bug bounty by attacking multiple targets.

Protecting the CI/CD Pipeline

Automated build and deployment pipelines provide a direct path from development to production, making them a tasty target for attackers. If attackers can compromise the repositories or build chain, they can inject malware into production systems without penetrating them.

• The CI/CD environment all need to be protected: the source and artifact repositories, the CI/CD toolchain configuration and runtime, the keys and other secrets used, and the infrastructure for running these services.
• Increased hardening of the development and build environment and build pipelines
• Auditing and surveillance of the development and build processes
• Scanning and analysis of source code and build artifacts to ensure that they match
• Enforcing multifactor authentication (MFA) and strict access controls across the development and build environment

Protecting Software Supply Chain

There are several frameworks that supply chain security practitioners can reference.

1. At the command of President Biden’s executive order (EO) issued last May, the National Institute of Standards and Technology (NIST) released on 4 Feb their Secure Software Development Framework (SSDF). The SSDF spells out minimum recommendations for US federal agencies to follow as they acquire software or a product containing software.
2. Google has released the Supply chain Levels for Software Artifact (SLSA) framework for ensuring software supply chain and build integrity
3. OWASP has the Software Component Verification Standard (SCVS) which identifies activities, controls, and best practices, which can help in identifying and reducing risk in a software supply chain.

Conclusion

Application security continues to evolve from shifting left to shifting everywhere as we move further into a cloud-driven era. Enterprises should constantly study the evolution of cloud technology, its capabilities, techniques and use appropriate automation tools that are easy to use and seamlessly integrates with any cloud provider CI/CD platforms to secure applications that are not just cloud native but cloud agnostic also. Most importantly protect their CI/CD pipelines. Keep a tab on ever-evolving cloud security standards, Cloud DevSecOps techniques and Software Supply Chain Security Standards and put them to use.

Know more

The CSA Bangalore Chapter in association with CyberRes are conducting a global webinar focusing on Critical AppSec Capabilities that accelerate Cloud Transformation.

You can join the live session on June 9th, 7:30 PM IST/ 4 PM CET / 10 AM EST by registering for the webinar. Register Here.

Reference Links

• https://community.microfocus.com/cyberres/b/sws-22/posts/devsecops-with-public-cloud-providers-automated-security-testing-with-aws-codestar?utm_source=blog&utm_medium=referral&utm_campaign=7014J000000dXXYQA2
• https://community.microfocus.com/cyberres/b/sws-22/posts/devsecops-with-public-cloud-providers-the-path-to-automated-and-integrated-security-testing?utm_source=blog&utm_medium=referral&utm_campaign=7014J000000dXXYQA2
• https://community.microfocus.com/cyberres/b/sws-22/posts/devsecops-with-public-cloud-providers-automated-security-testing-with-azure-devops
• https://community.microfocus.com/cyberres/b/sws-22/posts/devsecops-with-public-cloud-providers-automated-security-testing-with-google-cloud-platform
• https://www.microfocus.com/en-us/assets/cyberres/sans-survey