Virtualization Technology News and Information
Dev and Sec have been foes forever - cloud-native can turn them into friends

By Reuven Harrison, CTO and Co-Founder of Tufin 

Security teams and developers have never been best of friends due to conflict of interests. Developers want to roll out features as fast as possible with minimal distractions while security teams want to ensure things are properly secured before release. 

Cloud-native allows us to finally resolve this conflict by establishing a common ground which can be used to improve agility and security simultaneously.  

If you introduce security after development, you are missing an opportunity. Security policies and testing incorporated in the CI/CD pipeline ensures a rock-hard security posture. It's evident across various enterprise  cloud-native deployments that the further in the cycle you introduce security, the less efficient and scalable they are. 

What are the security cultural issues aggravated in a cloud-native environment?

Security is not owned by one-person or a team 

  • Security experts understand the principles of security (like least-privilege) but lack knowledge about the application business logic
  • On the other hand, developers understand their apps but they are not focused on security and they don't necessarily understand the impact of their app-logic on security and risk
  • Security teams can't be expected to be experts in all the technologies that are used by their organization (like Kubernetes which changes so frequently)
  • Developers are not experts in the various policy definitions. For example, those that are needed to secure Kubernetes: network policies, pod security policies and RBAC.
  • In addition, while developers are expected to understand their apps, it is often a partial understanding. For example, using a 3rd party component could trigger network connections and system calls that the developer isn't aware of.
  • In practice, every single policy that we have seen is either overly permissive or not even defined (meaning default allow).

Conflictive objectives of the teams 

  • Security and application teams have deep trust issue that is a result of conflicting objectives:
    • Developers want to release as fast as possible.
    • Security teams want to review and control changes - "change management processes".
    • Security teams want audits and penetration tests which trigger more work for developers.
    • Security teams insert security tools such as firewalls and agents into the developer environments which are always suspected as the root cause when something goes wrong.

Business adapts frequently and so do apps

  • Which means that even if a team managed to overcome the first two issues and establish good security, it will soon become outdated and will need to be redone.
  • Also,the infrastructure tools are being updated at a growing speed - for example, K8S major release every quarter.
  • At the same time, third party component are being updated to avoid app-sec vulnerabilities which introduces additional changes to the system.
  • Keeping a system secure continuously is arduous!  

Collaboration is the key

  • With all the above-mentioned issues, how can we know ensure that an environment is secure? It must require collaboration and good communications!
  • The goal should be to maximize the collaboration between the development and security teams at an early stage without adding additional work for either teams to make it sustainable.
  • Let's follow a mode of operations which aligns security and developers while embedding a security testing practice into the development process.
  • Security testing ticks all the boxes:
    • A proactive approach is considered a good practice by developers (Test driven development) as it improves quality and reduces developer overhead by reducing defects that are detected late in the process.
    • It can be done in the pipeline, which means agility is not impacted.

But what is meant by security testing in cloud-native environment?

  • The idea is to use testing to build a baseline of behaviors that are considered correct.
  • Whenever a developer adds a feature,they will write a test for it. This will teach the"auto-policy-generator" about a new behavior.
  • This can be embedded in the CI/CD pipeline, generating policy-as-code changes (pull-requests) which can be reviewed by developers and security experts as well.
  • Advanced mode can also test malicious behaviors as examples of illegitimate behavior.
  • Another great advantage is that when learning policies in the pipeline we can reduce the chances of including malware by mistake because test environments tend to be created and destroyed very rapidly before they can get infected.

Some thoughts to ponder upon

We still need to translate app behavior to language specific policies, there should be tools to achieve this goal. The other thought to consider is that testing will never detect the full extent of an app behavior; we will need to combine production run-time learning as well. 


For more detailed discussions on how security testing can improve the overall cloud-native security posture, come to KubeCon + CoudNativeCon North America, where we can discuss the culture of security in Kubernetes . The conference runs from November 17-20, 2020. 

About the Author

Reuven Harrison 

Reuven Harrison is CTO and Co-Founder of Tufin. He led all development efforts during the company's initial fast-paced growth period, and is focused on Tufin's product leadership. Reuven is responsible for the company's future vision, product innovation and market strategy. Under Reuven's leadership, Tufin's products have received numerous technology awards and wide industry recognition. Reuven brings more than 20 years of software development experience, holding two key senior developer positions at Check Point Software, as well other key positions at Capsule Technologies and ECS.

Published Friday, November 13, 2020 7:36 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2020>