Businesses are adopting development and operations (DevOps) to tap into new business opportunities. These DevOps initiatives are the engine driving digital transformation. But as DevOps takes hold and organizations focus more and more of their time and energy on building new applications and enhancing existing ones, the attack surface grows. As much of DevOps happens in private or public clouds or a hybrid combination, the attack exposure increases further.
SPEED AND DEVOPS
Speed is the name of the game when it comes to DevOps. C-suite and even board of directors push for greater speed and agility, often at the risk of security. A McKinsey report that surveyed CEOs around the globe places revenue acceleration, improved agility, and faster time to market at the top of the list of CEO priorities. Indeed, over half of organizations admit that they sacrifice cybersecurity for speed.
Conferences like RSA help drive awareness around the disconnect between business agility and security. When DevOps and security are distinct functions without integration, developers and security professionals are frustrated alike. Static application security testing (SAST) incurs lengthy and ineffective outcomes—elongating development cycles while pinpointing false positives that require painstakingly time-consuming remediation time. Dynamic application security testing (DAST) isn’t much better.
NEW REPORT ON DEVOPS
In advance of RSA, Palo Alto Networks released its “Spring 2020 Cloud Threat Report: Putting Sec in DevOps.” The report contains a number of interesting findings from the security company’s threat intelligence lab Unit 42. Let’s take a look at a few of them.
Misconfigurations Create Coding Delays
Misconfiguration remains a huge challenge for developers. The report finds that 65% of public cloud security incidents are the result of misconfigurations. With the push from CEOs for greater DevOps speed and agility, development teams are looking for ways to move quicker and push applications out faster.
Research findings in the report pinpoint some specific areas of misconfiguration that are impacting software development life cycles (SDLCs). First, 42% of CloudFormation configuration files contain at least one insecure configuration. Some of the most egregious examples include failure to enable server-side encryption (48%) and activation of encryption for Relational Database Service (RDS) (41%). In other instances, cloud user-configured S3 buckets are active without logging enabled.
Second, Terraform configuration files are another area of concern, with 22% of them containing at least one insecure configuration. Examples Unit 42 cites include cloud user-configured S3 buckets without logging enabled (66%), user-configured AWS EC2 instances with SSH (port 22) exposed to the internet (26%), and cloud-user AWS Security Groups that allow all inbound traffic (17%).
Finally, a smaller number, 9% of Google Kubernetes YAML files also contain one insecure configuration. Given the importance that Kubernetes Containers play for many development teams, the vulnerabilities these misconfigurations expose can be serious. Examples Unit 42 lists include sharing the network host (32%), running as root or with privileged accounts (26%), and running containers with dangerous capabilities activated (20%).
Alert Fatigue Creates Inefficiencies and Risk
Alert fatigue is a serious challenge for security and development teams. Unit 42 identifies five alerts and events that are the most severe:
- Allowing public access to port 22 (SSH) (76%)
- Allowing public access to port 3389 (RDP) (69%)
- Failing to enable logging for data storage (64%)
- Not enabling encryption for data storage (62%)
- Not using tracking functionality for serverless functions (47%)
Unit 42 calls out two troubling trends regarding alerts: an uptick of 20% for SSH public access, and a 30% jump for RDP public access. Both should trouble security professionals and developers alike. And with organizations dealing with an average of 174,000 alerts per week, security teams are struggling to keep up. And for security teams that rely on managed service providers (MSPs) to manage threat alerts, they may need to rethink. A study by Advanced Threat Analytics finds that MSPs tune specific alerting features or thresholds to reduce alert volume (67%), ignore certain categories of alerts (38%), turn off high-volume alerting features (27%), and hire more analysts (24%).
Mapping a Modern DevOps-Native AppSec Approach
With DevOps practices gaining momentum, integrating security functions across toolchains—from coding to testing to production—becomes necessary to achieve the visibility and context into threats across cloud environments. Defects become increasingly more expensive to fix the later they are discovered in the software development life cycle. Implementing security actions within applications empowers developers to commit clean code, while eliminating the need to hire DevSecOps experts or train developers on security nuances.
The stark reality is that development teams are simply too busy to perform application security activities. They are burdened by legacy tools that do not perform well in changing environments (e.g., cloud, containers, microservices, etc.) as well as the politics of implementing cultural changes in their organizations. Simply layering on a bunch of disparate security tools and solutions may solve for “check box” compliance, yet it also ultimately results in over provisioning and a loss of cohesion across teams.
One study finds that the relative impact of such flaws discovered during testing costs 15x more to fix than those found in design. And this does not include maintenance costs, which the study pegs at as much as 100x more. Shifting left enables developers to focus on delivering applications faster with less effort—and ultimately at lower cost.
Contrast Offers a Revolutionary Alternative
Developers need modern DevOps solutions, including AppSec, that enable them to produce code faster and more efficiently while speeding the rollout of releases. Security should be an enabler of this process rather than a detractor.
Contrast Security understands these challenges and is enabling thousands of developers from hundreds of companies to focus on their core business requirements while ensuring that their applications are secure. The Contrast DevOps-Native AppSec Platform extends from testing, to development, to production—providing transparency across the entire application attack surface. And because Contrast embeds within each application, developers do not need to become security experts and manage another DevOps tool. By shifting left and extending right, Contrast accelerates and protects DevOps processes.
The continuous cycle of AppSec moves and scales with applications, requiring no configuration or separate testing. Relying on instrumentation, Contrast takes the guesswork out of AppSec, driving down cost, improving efficiencies, and managing application risk.