Industry executives and experts share their predictions for 2018. Read them in this 10th annual VMblog.com series exclusive.
Contributed by Manish Gupta, CEO and Founder, ShiftLeft
Accelerating Security with DevSecOps, Serverless, and Continuous Improvement
It's
hard to find an organization these days not using cloud technologies in some
way. One report (Morgan Stanley CIO 2016 Survey) has 91 percent of companies
using public cloud by 2019, up from 53 percent in 2016.
There are three main areas that will become
more prominent in 2018 as organizations across various sectors attempt to
differentiate through innovation in cloud environments:
1. Continuous Improvement comes to security as
applications become epicenter of attacks:
According to Verizon's 2017
Data Breach Investigations Report, web application attacks are the leading
cause of breaches, more than tripling from 9%to 30% since 2014. This is predominantly because no two applications are
alike, the applications work in different ways, and they use OSS
differently - all leading to a different threat profile. But we have been
protecting every application with off-the-shelf security solutions that
either only analyze the code and create many false positives or provide
runtime protection that adds significant overhead to the application. The
overhead of generic security solutions which have signatures for threats
and vulnerabilities for hundreds of applications, operating systems and
network elements defeats the promise of cloud environments. For SaaS
applications, IaaS/PaaS vendors now provide state-of-the-art robust
infrastructure-level security. In such scenarios, the exposed attack
surfaces are the applications and vulnerabilities in them, either
inadvertently or borrowed through OSS use while rapidly developing them.
At ShiftLeft, security does not mean loss of agility or speed - in fact
with the Cloud, it means just the opposite. Continuous improvement of
application code by infusing it with security early in the development
lifecycle will be key in 2018.
2. Serverless becomes the common way to deploy
cloud-native applications:
Driven by the digital economy's
demand for instant results without the hassle, serverless computing is becoming
the common way to deploy new applications. The serverless concept is a
prepacked flavor of modern cloud-native architecture which decomposes
applications to multiple stateless and elastic micro-services. These are
further architected around small serverless functions coupled together in
distributed environments. Micro-services shrink or grow to satisfy demand; they
are restarted in case of a resource failure and can be changed to a newer
version without breaking or taking down the entire application. In 451
Research's Voice of the Enterprise (VotE): Cloud Transformation, Workloads and
Key Projects 2016 survey of 486 IT decision-makers, 37 percent were using
serverless technology to some degree. Serverless is likely to continue growing
in adoption, and in impact to the industry, over the next few years. Anytime
you're discussing deploying an application in the cloud, security is at the top
on the list of concerns. Serverless applications are no different in this
aspect but they are radically different in how you have to implement security,
especially considering that deployment of individual compute functions is
highly distributed. Security for serverless applications boils down to four key
concerns:
1. Flow of data
2. Code quality
3. Monitoring production
4. Choice of APIs and
services
Each of these areas is critical to
the overall security of your serverless application. It is the onus of the
application owner to address this new
paradigm of building cloud-native applications.
3. DevSecOps becomes viable with the advent of security
automation for cloud workloads:
As movements like CI, CD and
DevOps aim to cut down on release cycles, it's security's job to help control
the risk. The risk landscape is complex as modern development practices
increasingly consume more and more third party code and OSS. Increasing
development speed also means that traditional manual security testing and SAST
approaches would need to keep up with this rapid pace. Zero-day vulnerabilities
would rise and CVE matching techniques would need to take a backseat. The holy
grail of zero-day mitigation means that security needs to be continuous and
rapid - and hence automated and autonomous. It is the DevSecOps model that should
provide the increasing automation in security in the immediate future. DevSecOps combines
the speed of delivery with the security needed to protect the applications. If
AWS hadn't automated getting a server, DevOps wouldn't have emerge. In addition, the lack of tools is preventing
DevSecOps from going beyond "an idea". 2018 will be the year of DevSecOps as
security teams increasingly rely on automated insertion of security in the
development lifecycle with next-generation security tools. The philosophy
involves building security into CI/CD so that it's baked in, and is built on
the idea that "everyone is responsible for security".
##
About the Author
Manish Gupta, CEO and
Founder, ShiftLeft
He was previously the Chief Product and Strategy Officer at
FireEye, helping grow the company from approximately $70 million to more than
$700 million in revenue, growing the product portfolio from 2 to more than 20
products. Prior, he was VP of Product Management for Cisco's $2 billion
security portfolio. He also served as a VP/GM at McAfee and iPolicy networks.
Manish has an MBA from
the Kellogg Graduate School of Management, MS in Engineering from the
University of Maryland and a BS in Engineering from the Delhi College of
Engineering.