Industry executives and experts share their predictions for 2022.  Read them in this 14th annual VMblog.com series exclusive.

Application Security in a Time of Cloud

By Erik Costlow, Director of Developer Relations, Contrast Security

Application security matters because the entire role of virtual machines and containers is to run their application workload. While teams can take the appropriate measures to secure their infrastructures-such as securing networks and hardening down permissions-it won't help much if the applications deployed on top are insecure. As 2021 ends its "December to Remember" with the massive log4j logging exploit that can't be blocked on a network or host level, my hope and prediction is that future years will secure assets by starting with the application.

When you look at the architecture of any workload, you see a common pattern. The application does the work - it gets its compute and memory from a VM, container, or host. That entity gets its storage from a disk or a NAS. While these resources move up the chain, the security levels stay put and each layer must be secret on its own. A secure host or secured network doesn't travel up to become a secure application. For those undergoing a digital transformation to reduce cost, improve operation, or achieve any other goal, they need to address the question of whether we want to bring old security problems forward or leave them behind.

If a remote attacker can compromise the application, the attacker can generally access what the application itself can access. With vulnerabilities like Insecure Direct Object Reference, attackers can often crawl through your records. SQL Injection attacks can allow additional data theft, or even lateral movements to compromise the database itself when paired with SQL Server's xp_cmdshell. Even applications with strong authentication can become vulnerable, because attackers are setting their usernames to JNDI exploit payloads to breach applications that log failed access. Other exploits are used in passwords, where they meet complexity criteria, or even in images that get parsed by computer vision. While network defenses can remove the noise on some of these vulnerabilities, the changing nature of data and elastic IPs makes this infeasible. It doesn't matter if your network, your operating system, or your hosts are patched-if you ignore application security, you trade a little bit of time to turn on automated tools for these types of problems that take days, weeks, months, or even years to solve.

When security becomes a scramble, there are a few common themes among those who can remain calm:

1. They have an inventory of applications, and each application has its software bill of materials (SBOM). They know its environment details of OS and patch level as well as the libraries that the application uses. When a new vulnerability is discovered, they know if they are affected and where to engage.
2. They regularly patch systems, keeping up to date with security fixes. This patching doesn't stop at the OS or container level: it's continuous and covers the entire SBOM. It doesn't matter if the application was secure a few years ago, it matters if it's secure now while it's running.
3. They have runtime detection or protection enabled within applications. While you can watch attacks at a network level, the average organization is attacked thousands of times per day. Each vendor claims a different number, but the number doesn't matter: what matters is if the attack has an impact. Monitoring attacks is fine-but teams need to differentiate, defend, and focus on which attacks matter.
   

The benefit for teams undergoing a digital transformation is that there are tools that can fit in software pipelines that can continually produce this intelligence without adding additional work. Instead of combining the security audit from last year and drowning in manual work, you can automate the steps. Make the applications create their own SBOMs-they know what software they have because they run it. Hook a security agent into the software, whether it's your software or from a vendor, and you can extract the data.

Performance monitoring tools have shown us what you can learn by watching an application, so it's time to do the same for security. Organizations should leverage products that produces agents that work inside software to gather security information, without creating additional work. By putting the agent in place to monitor inside the application, the machine does the hard work to create its inventory, to monitor for security events, and to differentiate and defend attacks that could hurt the application.

You don't need to ignore application security because it's hard-it isn't. The biggest hope I have for the next year is not that people pay attention to application security, it's that they put an agent in place to pay attention to it for them and then go do something else. If we can do this, then maybe next year will be a December to enjoy.

##

ABOUT THE AUTHOR

Erik Costlow, Director of Developer Relations, Contrast Security

Erik Costlow was Oracle's principal product manager for Java 8 and 9, focused on security and performance. His security expertise involves threat modeling, code analysis, and instrumentation of security sensors. He is working to broaden this approach to security with Contrast Security. Before becoming involved in technology, Erik was a circus performer who juggled fire on a three-wheel vertical unicycle.