Micro Focus is now part of OpenText. Learn more >

You are here

You are here

DevSecCon: Container, serverless growth haunts DevOps security

Rob Lemos Writer and analyst

DevOps—a discipline barely a decade old—is continuously changing, and while many of the issues of how to secure software in the DevOps pipeline remain the same, new ones have cropped up as well.

Take the trend of serverless development. With the introduction of Amazon's AWS Lambda in 2014—and the release in 2016 of Google's Cloud Functions and Microsoft Azure Functions—an increasing number of developers has started to use the technology to create applications and features without having to worry about server creation or optimization.

Estimates of the current use by companies of serverless—also known as functions as a service (FaaS)—vary between a high of 41%, according to the Cloud Native Computing Foundation, and 21%, according to RightScale, a cloud infrastructure services firm.

Regardless of the discrepancy, there was little surprise that of 240 proposed presentations for DevSecCon, more than 30% were focused on securing serverless computing and microservices, conference organizers said.

"Lots of people are interested in both topics. Especially, How do you use them, and how do you use them securely?" said Francois Raynaud, founder and director of DevSecCon.

Here are three key trends coming out of DevSecCon London 2018 for software teams implementing DecSecOps.

Top 10 is not enough for DevOps

The standard security checks that applications security specialists do on software are not enough to secure the DevOps pipeline. The bare minimum in many cases is the OWASP Top 10, but just scanning for the common list of vulnerabilities does not find major issues, such as the business logic vulnerabilities exploited by attackers in the latest Facebook breach.

So while security needs to be increasingly shifted left, toward developers, companies cannot ignore the need for security in operations, monitoring applications at runtime, said Jean-Baptiste Aviat, a presenter at the conference and chief technology officer and co-founder at Sqreen, a web application security firm.

"In the past, the solution was that we had security tools on the outside of the application, such as a WAF or static analyzers. All these things are working well for their own scope, but none of them can provide total security, because the business logic happens inside the application."
Jean-Baptiste Aviat

He likens the shift to performance measuring tools, which started out measuring performance at the edge of the network, but now run inside the application itself.

[ More from DevSecCon London 2018: Liz Rice shares 9 practical steps to secure your container deployment | Colin Domoney on How to secure your software supply chain ]

Container proliferation makes security harder

Container adoption continues to take off, with more companies deploying an increasing number of containers. Almost half of firms have more than 250 containers deployed, while less than a quarter have 1 to 50 containers, a significant shift from 18 months ago, when the figures were 12% and 61%, respectively, according to the Cloud Native Computing Foundation.

The proliferation in containers makes security more important and more difficult to do right, said Liz Rice, an evangelist at Aqua Security who presented on container security at the conference.

"The security problems are the same as they always have been: vulnerable software being deployed—the traditional Meltdowns and Heartbleeds and ShellShocks—those kinds of vulnerabilities in software that get published and attackers find out about them. If you don't have the tooling in place to secure all those instances, and attackers continue to look for the weaknesses, they will eventually get in."
Liz Rice

Growing interest in securing serverless development

Serverless development is the fastest-growing cloud service, with an annual growth rate of 75%, according to cloud-services firm RightScale.

Because there is a scarcity of tools that are focused on securing serverless architectures, developers have to focus on the basics. Minimizing the privileges of running functions is critically important to decrease the potential attack surface area, said Yan Cui, principal engineer at video-streaming firm DAZN and a presenter at the conference, who spoke on securing serverless architectures.

"With serverless, the cloud providers are taking care of even more of your infrastructure for you and securing them, and doing a much better job at that than most of us can. However, application-level security is still very much a concern, and the OWASP Top 10 are still as relevant as ever—threats such as SQLi and XSS."
Yan Cui

Serverless has the potential to be a more secure way to develop certain types of services, Cui said. Developers do not have to worry about extraneous code in their libraries or about compromised servers or containers.

Shift left hits bumps in the road

DevSecCon continues to focus on ways to shift the capability—and responsibility—for security toward the developer, often referred to as a shift-left trend. By baking security into the development lifecycle, application security specialists can support developers' focus on efficiently producing code, while catching the mistakes that lead to vulnerabilities.

The changing landscape adds to the challenge. Aqua Security's Rice said the community was moving forward despite the challenges.

"Developers do not have to be security experts overnight, but they have to be part of the chain of security. It requires a cultural change. It requires a conversation between the security people, the development people, and ops people, all of whom might not have those titles anymore."
—Liz Rice

The DevSecCon London conference and training sessions took place on October 18-19, 2018. DevSecCon Singapore runs February 28-March 1, 2019.

Image courtesy of DevSecCon.

Keep learning

Read more articles about: SecurityData Security