App sec as a service: Ready for the fast lane?

public://pictures/Robert-Lemos-Technology-Journalist-Lemos-Associates.jpg
Robert Lemos, Technology Journalist, Independent

Traditional security testing is making less and less sense for many development teams.

Testing applications is a complex process: Static testing checks source code for defects and identifies patterns that indicate a potential security flaw. Dynamic testing checks a variety of inputs against a running program to determine whether any of them triggers a vulnerability.

Also, results from testing are not easy to turn into action. Often, a large number of false positives means developers must waste time running down potential flaws. The defects identified through testing are often not fully understood or acted upon.

Add in the need for speed to keep up with agile development, which increasingly is focused on microservices, and traditional security testing alone may not cut it.

But application security services are evolving. Here's a review of the state of app sec as a service. 

World Quality Report 2018-19: The State of QA and Testing

Where app sec services can help

No longer is it enough to offer a single service to test code and deliver the results back to the client. Companies are looking for services that integrate into DevOps processes.

Application security services also offer the advantage of providing a way for companies to deploy software while they work on the fixes for known vulnerabilities, said Jeff Williams, co-founder and CTO of Contrast Security, a provider of runtime application security products.

"Most companies need application security as a service, because they don't have a staff of experts and they can't do it with their internal staff."
Jeff Williams

Focusing on both finding vulnerabilities in cloud applications and adding security controls to protect applications could help companies that have been breached. Equifax, for example, allowed attackers to steal credit information on 143 million Americans by failing to patch flawed software—an attack against which app sec-as-a-service could protect.

David Linthicum, a chief cloud strategy officer at Deloitte Consulting, said application security services could protect against Equifax-style attacks. "It could save companies against those types of breaches," he said.

But he sounded a note of caution. The problem: Customers may become dependent on application security services. "They would wrap their applications in these ... services and think they were [fully] protected." 

Different approaches for microservices 

As software is increasingly being deployed to the cloud and companies focus on creating small development teams that can quickly change and deploy applications—so-called microservices—securing the resulting amalgamation has become more difficult to manage.

The problem is not new, but security experts are trying to pinpoint the best way to mitigate risks in microservices.

"The microservices design creates many smaller applications interacting among themselves that results in complex network activity," stated a group of researchers from Penn State University and Symantec in a 2015 paper, "Security-as-a-Service for Microservices-Based Cloud Applications" (PDF). "This makes monitoring and securing networks for the overall application and individual microservices very challenging," the researchers said.

The paper outlined an approach for turning application security into a service: Define a basic resource and API—the researchers called theirs "FlowTap"—and allow cloud customers to define which network flows they want to monitor. The resulting monitoring can focus on specific security conditions and impacts performance by only about 6%.

One application-security startup, ShiftLeft, has taken a different approach. Rather than monitor the network, the application analyzes microservice applications written in Java for security weaknesses, identifies those weaknesses to the development team, and then creates an agent that is deployed with the microservice to block the exploitation of any flaws. The service can also use data collected by deployed software to determine which attacks are attempting to exploit the microservices.

Code analysis cannot find all the problems, said Manish Gupta, co-founder and CTO of ShiftLeft. False negatives and some false positives cause you to miss things, he said.

"By feeding in the runtime data, we can see what is being exploited, so we can provide protection and give you an idea of which issues are most critical."
Manish Gupta

[ Webinar: Agile Portfolio Management: Three best practices ]

Why interactive application security testing is key

Other security firms have already started down the path of using agents to collect data at runtime to inform efforts to fix bugs and protect software at the same time. Used as a method of finding vulnerabilities, the approach is often referred to as interactive application security testing. When deployed as a way to protect software, the approach is known as runtime application security protection.

Using an agent gives you access to more information about what is going on inside the app and makes it much easier and more accurate to identify vulnerabilities and block attacks, Contrast's Williams said. 

"If you can be more accurate about what is happening inside the application, you can identify problems more accurately, which means you don't generate as many false alarms, and that means that you can have less people involved."
—Jeff Williams

Security as code gets real

These approaches mirror the current DevSecOps notion of turning security into code. Creating a way for developers to express the security controls and considerations needed to protect their code, and build those controls into their deployed products, can make security more agile and responsive.

"It's about establishing guardrails around your applications," Williams said. "You can say we always want to see this code pattern, or we never want to see this code pattern. So that's absolutely about turning security into code—take those types of rules and enforce them throughout the lifecycle."

Application security services also fit nicely with continuous integration and continuous deployment (CI/CD). With apps being pushed out faster and more frequently, protecting those applications requires the ability to securely monitor them, even if they are running on public cloud infrastructure.

However, Linthicum said application security services only focus on vulnerabilities and protecting against exploitation. The most common way to compromise cloud services is through stolen credentials, making identity and access management (IAM) most critical. In addition, a good encryption strategy can also protect against breaches.

"There is no one-size-fits-all approach. [But] most of the time, security is not really effective unless you build it in."
—David Linthicum