The number of cloud applications has grown in parallel with the high rate of cloud adoption among Australian businesses over the past couple of years.
Part of the attractiveness of shifting to the cloud is that it ushers in a more modular approach to building applications. This enables development and operations teams to create and deploy feature-rich apps very quickly.
However, the same characteristics that make cloud-native applications nimble and agile can also introduce a variety of cloud application security risks. In particular, their distributed nature – with components hosted in various clouds, connected via APIs, or either hand-coded or ‘borrowed’ from free open source libraries – increases the application’s, and therefore the organisation’s – attack surface.
It’s perhaps no surprise that application-level vulnerabilities have emerged as the most common type of attack. This has led to the issuance of joint advisories from Australian and US cybersecurity agencies, warning web app developers and designers to stay alert to the threats.
Australian organisations developing internet-facing, cloud-based apps typically face five common challenges when it comes to securing those apps:
- Difficulty identifying open source vulnerabilities
Some 96% of software programs include some kind of open source component; and up to 70% of the codebase of cloud applications comprises open source code.
Using open source software can help accelerate development because developers don’t need to reinvent the wheel with every new application build. For example, if organisations are building an app to handle data flows from multiple sources, they might find open source APIs that eliminate the need to build key connectors from scratch.
However, open source software is often a vector for security vulnerabilities. Research estimates that nearly half of all applications that contain open source code are exposed to high-risk vulnerabilities. One reason for this is that the open source code may be under- or un-maintained. There have also been examples of attackers seeding malicious code in open source software that is unknowingly downloaded and then incorporated into app codebases.
To properly secure applications, developers must be able to identify and eliminate these vulnerabilities, but this can be challenging work. Developer tools, such as Software Composition Analysis, often produce a large number of false positive alerts that slow down development to investigate. Moreover, common production tools, such as network scanners, can’t properly detect open source vulnerabilities inside cloud-native infrastructure such as containers.
- Lack of security automation and DevSecOps maturity
Security tools that require manual steps, configurations, and custom scripts slow down the pace of development. Tools that require time to run and produce results do the same.
In a recent survey, 86% of CISOs stated that automation and AI are critical for a successful DevSecOps practice and overcoming resource challenges. However, only 12% report having a mature DevSecOps culture. Consequently, 81% of CISOs say they are concerned they will see more security vulnerability exploits if they don’t find a way to make DevSecOps work more effectively.
- Too many security point solutions
Cloud application security tools only work if developers can integrate their findings. The same CISO research found that 97% said the use of too many point solutions for specific security tasks is causing problems.
Another 75% reported that team silos and the proliferation of security point solutions throughout the DevSecOps lifecycle increase the risk of vulnerabilities slipping through to production.
- Modern development practices hamper zero-day vulnerability detection
Although modern development tools – such as open source software and microservices-based application architecture – make applications more flexible, they also increase the threat horizon for vulnerabilities.
In the CISO research, 68% of respondents said vulnerability management has become more difficult as the complexity of their software supply chain and cloud ecosystems has increased. Similarly, 76% said the time between discovering a zero-day attack and patching all instances of vulnerable software is a significant challenge to minimising risk.
- Siloed visibility
Traditional security tools have a siloed view of vulnerabilities. These tools can’t properly assess the risks of microservices-based applications and they can’t see beyond cloud boundaries. As a result, these tools can’t provide a complete picture of a cloud-based application.
They also don’t allow proper enforcement of security policies consistently across boundaries. Instead, teams adopt multiple products – different products for different environments – and then stitch things together. The typical result is poor communication across tools and teams.
A path forward
Organisations must evolve from traditional, manual security practices to a more intelligent, automated approach to cloud application security. Cloud application security practices enable organisations to follow secure coding practices, monitor and log activities for detection and response, comply with regulations, and develop incident response plans.
By combining cloud application security and observability data into a unified analytics platform, organisations will be better positioned to improve their overall application security posture. An observability-driven approach to security monitoring informs teams of any vulnerabilities or attacks as they arise in real time.
Organisations are also advised to incorporate security into each phase of the software development lifecycle. This can be supported with AIOps tooling at the backend that continuously auto-discovers and maps out changing cloud environments in real-time. This should provide a well-rounded approach to detecting anomalous app traffic and vulnerabilities that threaten the organisation’s security posture and future in the cloud.