Dynatrace sponsored this post.
Dynamic multiclouds are the platform of choice for digital transformation, with DevOps accelerating deployment speeds for new releases and cloud native applications becoming increasingly interconnected. But, as a recent research study of CIOs around the world reveals, the pace of digital transformation is driving overwhelming levels of complexity in these environments. According to the research, 89% of CIOs say digital transformation has accelerated over the past 12 months, with 86% attributing that increase to adopting cloud native technologies — including containers, microservices and Kubernetes. All of this has resulted in what two-thirds of CIOs say is a dynamic multicloud environment that is so complex it is now beyond human ability to manage.
This level of cloud complexity has another downside. Cloud native app development processes are now starting to break traditional approaches to app security. Web service integrations are creating holes in firewalls, intrusion detection systems are failing to capture network content, and vulnerability scanners are missing real-time changes in production and pre-production environments. These gaps point to how dynamic multiclouds — and specifically the containers, microservices and Kubernetes platforms these environments are built on — have made traditional app security approaches insufficient. These traditional security models can no longer meet the needs of the C-Suite or the DevSecOps teams that rely on them, leaving the door open for dangerous gaps in application security.
Here are three reasons why traditional app security approaches are falling short of what dynamic multicloud environments need, and why an upgrade is overdue.
1. Risk and Complexity
Open source and Kubernetes introduce a new level of risk and complexity that existing application security approaches can’t match.
Over the past 12 months, nearly one-third of organizations traced a data breach back to open source components in their enterprise applications. This is troubling when an estimated 80% to 90% of enterprise applications are comprised of open source components. Kubernetes package managers introduce even more risk: more than two-thirds of Helm charts contain an image with at least one high-risk vulnerability, and over 60% of organizations are either unaware of the baseline Kubernetes security measures they should be using, or are aware but simply don’t use them.
Taken together, cloud native app development and Kubernetes are introducing new layers of complexity that leave traditional security approaches unable to follow vulnerability profiles through microservices, containers and different versions.
Additionally, because these conventional methods are embedded in the continuous delivery pipeline and can be exposed to many potential vulnerabilities, their lack of visibility raises several issues:
- How to determine what is really running in the environment, and identify what’s running in real time.
- How to assess exposure to hosts, containers, credentials and data storage.
- How to prioritize action on potentially hundreds of vulnerabilities, without knowledge of what’s running where and who is accessing it.
- How to differentiate the real vulnerabilities from the false positives and keep track of them all.
All of this points to the need for automatic and intelligent security solutions that expand the reach of runtime application security in a multicloud environment. This facilitates more reliable insights that can’t be broken by containers, microservices and Kubernetes platforms.
2. Lack of Confidence and Context in Vulnerability Protection
Pre-production environment scans are important for vulnerability detection, but have become insufficient for several reasons, including:
- New vulnerabilities may be identified post-deployment.
- Production rollbacks may end up re-introducing vulnerabilities.
- Modern cloud native stacks may also build or update containers on the fly, potentially creating configurations different from those in staging and pre-production.
- Scans identify many false positives, and don’t recognize that only a fraction of the code is actually executed in production.
- These false positives present an additional risk, with alerts both distracting developers from their actual job and leading to fatigue — subsequently raising the risk of missing vulnerabilities and further exacerbating security risks.
- If vulnerability scans are set up manually, DevSecOps processes move so fast that when changes happen in production, security vulnerabilities may be missed altogether.
The underlying theme connecting all of this is a lack of context. If vulnerability scanners can’t capture all changes in an environment, that missing context means DevSecOps teams don’t have a full understanding of their exposure to vulnerabilities in different runtime situations.
3. Traditional Security Tools Bottleneck Development and DevSecOps
Keeping up with security requirements, checks and coverage today is difficult. And it only gets more cumbersome as environments and DevSecOps pipelines change at an increasingly fast pace.
Current security tools were purpose-built for waterfall-based development, meaning they bottleneck agile-based DevSecOps. They’re time-consuming, not developer-friendly, and riddled with false positives. Those false positives are a problem, as scanners lack the context needed to determine whether those are real vulnerabilities that expose risk, or are being flagged incorrectly as alerts. Consequently, DevSecOps teams are forced to waste time chasing problems that aren’t relevant — or aren’t even actually there.
Additionally, pureplay security solutions built for DevSecOps introduce deployment friction (through agents), while lacking a breadth of technology coverage — which can negatively impact application performance, start time and stability. Given all this, the challenge of security actively slowing down DevSecOps, rather than bolstering it, has reached a critical mass.
Dynamic Multiclouds Require Dynamic Security Approaches
Effective app security for dynamic multicloud environments requires a next-generation upgrade.
What does that entail? An upgrade means automatic deployment and instrumentation in production that requires no manual configurations. It means real-time dependency mapping and transaction flow analysis for risk assessment of vulnerability exposures, with automatic and continuous updates to understand runtime app vulnerabilities and their impacts on production environments. It also means full-stack code and infrastructure observability and analysis for following attack vectors. Intelligent analytics that weed out false positives created by code that wasn’t executed in the first place. And finally, AI-assistance that automates risk assessment and prioritizes risks by business impact. All of this is driven by a core understanding that if and when you’re exposed, the time to act is limited and crucial — every second counts.
In a dynamic and multicloud world, traditional app security doesn’t cut it anymore. Vulnerability detection and risk assessment now need an AI-driven, continuous automation upgrade that keeps organizations ahead of the curve and secure.
Feature image via Pixabay.
The New Stack is a wholly owned subsidiary of Insight Partners. TNS owner Insight Partners is an investor in the following companies: MADE, Real.