How AppSec Fits into the World of DevOps and Containers

Business undertaking digital transformation initiatives are turning to Agile development and DevOps workflows to execute their software projects. Agile lets software teams respond quickly to customer needs, and DevOps helps organizations deploy applications continuously so customers can see and use the software, and provide feedback on how well it meets their requirements. Agile and DevOps have led to an entire new world of software practices and tools, one of which is Containers.

Containers – Not Just for Leftovers

Containers have vastly advanced the DevOps movement by making it easier to create self ‘contained’ applications that can run in far more places – like the cloud – and with better resource utilization. Containers provide everything necessary to run an application, without the Ops teams having to worry about OS-level configuration settings – something that can quickly get out hand.

Looking back at the recent trends in software deployment, it is clear to see the movement away from physical servers to virtualization from virtualization to the cloud. Containers are the next step in cloud application deployment. Containers are an innovative technology that help organizations build and deploy scalable cloud applications. 

Underpinning Security all Through the Application Lifecycle

In the faster-paced world of DevOps, the process of deploying and scaling applications got easier — but, somehow, application security got overlooked. But digital transformation efforts bring every facet of our lives and businesses under the influence and control of software, so protecting applications from malicious actors is a task that shouldn’t be left to chance.

The application security challenge in the age of DevOps and containers is that enterprises need to make software secure, without unnecessarily burdening the developers or slowing down existing software development processes.

Contained is not Secured

Placing an application within a container does not make the software less vulnerable nor does it protect it from attack. Native container security features and stand-alone product (like Aqua, Twistlock and CoreOS) are focused on network security issues, and don’t address application security for containerized applications. That is why it is still necessary to assess and protect individual apps within a container environment. 

Legacy Application Security Tools Fall into Two Categories:

1. SCAN & TEST: Tools that try to help developers build more secure software. This is typically done by running scans and weeding out the irrelevant results. This category includes static and dynamic application security testing (SAST and DAST) solutions. On the other end of the spectrum are human experts performing manual penetration (pen) tests. These folks are expensive and scarce.

2. MONITOR & BLOCK: Tools provide perimeter protection for applications in production. This category includes web application firewalls (WAFs) and, to some extent, intrusion prevention systems (IPS). They work by monitoring network-level application communications and drawing a “best-guess boundary” around the application. 

However, the tools in those categories have their own challenges generally, and simply don’t fit with DevOps or containers.

The right approach to securing software in a DevOps environment with containers would be to:

1. Inform developers about the vulnerabilities in the code as they arise, and
2. Build controls inside the applications so that they can protect themselves against attacks.

Contrast offers two products that are delivered through a single platform, enabling enterprises to secure and protect the application all through the lifecycle from development to production.

Contrast Assess

Contrast Assess infuses software with vulnerability assessment capabilities so that security flaws are automatically identified. It produces a continuous stream of accurate vulnerability information whenever and wherever software is run. Development, QA and Security teams get results as they develop and test software, enabling them to find and fix security flaws early in the software lifecycle, when they are easiest and cheapest to remediate. Most importantly, for DevOps and container environments, it integrates seamlessly into the tool sets that development & operations teams are already using, making Contrast Assess a perfect fit with modern software development techniques, including Agile, DevOps, containers, microservices, APIs, cloud, etc. 

Contrast Protect

Contrast Protect infuses software with attack detection capabilities so that software can protect itself from attacks. As with Contrast Assess, being a part of the application itself gives Contrast Protect unhindered visibility into the application, making it super accurate. For companies rolling out container-based applications, Contrast Protect resides inside the container, and prevents attacks.

Contrast & Containers

Containers support easy scaling of applications for performance and portability, and Contrast products enable companies to align their application security with their container efforts. The Contrast agent can reside as part of a Docker image and become a part of the entire software lifecycle from development to production. This becomes especially important when scaling instances up or down, or in Blue-Green deployments.

The Contrast platform integrates with build tools, bug-tracking systems, and SIEM vendors of your choice, providing security, vulnerability, and attack data available at your fingertips 

Welcome to the Era of Self-Protecting Software!

Tim Chase, Director of Security at Nielsen, recently shared his story of how he successfully built and scaled the DevOps function. Tim says that an instrumentation-based approach that enables applications to be assessed and protected simultaneously and continuously has transformed his DevOps program. 

 

 

2:15

Click on the image above to hear a short (2 minute) video
featuring with Jeff Williams and Tim Chase.