DevOps teams have often been underserved by security tools. Modern application security solutions must fit within the existing workflows related to how software is built and deployed. But just dropping a tool into that pipeline won’t suffice.
There are apps that haven’t migrated to modern build processes or frameworks and many cloud-native apps demand different approaches to deployment.
In a recent episode of Application Security Weekly (ASW) sponsored by Contrast Security, Steve Wilson, the company’s chief product officer, discussed different approaches to adapt security tools to the needs of developers.
ASW host Mike Shema set the stage, noting that he’s done multiple episodes about the need to make security easier for application developers and provide the tools necessary. And yet difficulties persist.
“We often forget that companies are dealing with a lot of tech debt and legacy systems, and there are cloud-native systems with nuances that tools need to be hooked into,” Shema said.
Wilson – who has over 25 years of experience developing and marketing products at multi-billion-dollar technology companies like Citrix, Oracle and Sun Microsystems – emphasized that the goal shouldn’t be to find everything that could be wrong, but finding everything that needs to be actioned.
“Today’s tools were built for AppSec experts who are geared toward finding every conceivable vulnerability,” Wilson said. “But what we need is for tooling to be pipeline native, geared not toward chasing down every potential issue but surfacing the most important things quickly -- then giving clear guidance to developers on how to fix them.”
Though pipeline-native functionality is important, Shema noted that cloud-native environments come with their own challenges. Wilson agreed. “So many developers are excited about Lambda and serverless functions, but in cloud-native environments, DevOps tools don’t work the same way. Tools must be designed to work in Lambda environments.”
Indeed, Contrast Security recently expanded its Contrast Application Security Platform to add serverless to its list of approaches, which previously included code scanning, application security testing, open source security and runtime protection. Citing its own State of Serverless Application Security Report, Contrast said in a statement that “more than 70% of respondents report that six or more of their development teams now work on serverless applications.”
Wilson said the expansion was driven in large part by customer demand.
“We have hundreds of large enterprise customers who last year really started telling us that they needed support for these serverless environments,” said Wilson, noting that the move to serverless is one that is happening more and more as companies modernize their application. “One of our beta customers was rewriting a set of applications for their IoT infrastructure -- and that’s a classic type of application that really benefits from a serverless environment -- so as they were upgrading that to really be cloud native, they were starting to take advantage of function as a service on Amazon, and really asking us to help bring some tooling there where we could provide that security assurance to them.”