Cloud-Native Development - Security Challenge or Opportunity?
Originally published by Dazz.
Written by Eyal Golombek, Director of Product Management, Dazz.
Modern SDLC - Complex but manageable
Cloud-native development and modern DevOps practices enable faster development cycles, high scalability, and smoother maintenance processes, yet, they also introduce new complexities for security teams. The introduction of IaC and containerized workloads, for example, brought exceptional flexibility and control to development teams and increased software stability and development velocity. However, they introduced new application and infrastructure risks for the security team.
There is a way for security teams to benefit from these new practices and technologies, plus keep pace with increased development velocity, without compromising their ability to govern and manage the risk. Security and development teams must be able to embrace the inherent modularity of cloud resources, such as containerized workloads and cloud development, while also efficiently resolving thousands of high-risk issues that seem to pile up in the backlog continuously.
Containerized workloads give development teams more control over the infrastructure and operating system levels of their applications, which dramatically increases both the velocity of development and the stability of their applications. From a security perspective, they also introduce fantastic opportunities for easy remediation and easy patching of security flaws, such as the following examples:
- Bulk remediation: One core concept of containers is that they are built-in layers. Most containers actually have their operating system implemented at a deep layer. In many cases, this deep base image is the root cause of most security flaws. With a root cause analysis engine, security teams can easily map a large chunk of vulnerabilities back to this hidden base image. Fixes can be implemented at the root cause, which solves many flaws with one simple fix. What was once a tedious process of patching hundreds of CVEs one by one can now be replaced by a simple change of one line of code directly at the root cause.
- ShiftLeft remediation: Given classic workloads running in cloud environments, the process of patching security flaws requires manually running commands on each and every virtual machine. This process is time-consuming, tedious, and doesn’t empower development teams to own their security risks. When environments are containerized, we can utilize root cause analysis capabilities to automatically map cloud workloads back to their respective development team. This approach shifts the responsibility for the fix back to the relevant dev team member and enables the democratization of the fix to allow remediation at scale.
Modern cloud-native development practices are evolving at a meteoric pace. Keeping pace with the ever-changing landscape of technologies is overwhelming for security teams. On top of this, they face the onerous job of governing and securing distributed development teams, disparate tech stacks, and complicated infrastructure environments.
Building a security program that harnesses modern SDLC for risk reduction instead of fighting modern SDLC is an efficient and smart way for security teams to keep up with the cloud migration. Doing so reduces friction and removes silos between security and development teams by enabling both teams to prioritize the alerts and backlog that matter most. By using “shift left of cloud” insights, teams can fix code issues faster, thereby reducing the window of exposure time and also the cost of lost developer productivity.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.
Cascading and Concentration Risk: How do They Impact Your Digital Supply Chain?