The cloud-native development model entered the mainstream in recent years, with technologies such as microservices and serverless computing, containers, APIs, and infrastructure-as-code (IaC) at the forefront of this trend. Thanks to these emerging technologies, organizations can build and run their apps fast, in a distributed manner, and without reliance on physical hardware infrastructures. But while this flexibility helps save time and money across the entire software development life cycle (SDLC), it does not come without a security price tag.
Securing cloud-native applications requires, among other things, a full understanding of the interfaces exposed to the various consumers by the microservices, as well as the proper security configuration of the container images. Organizations with internally developed cloud-native applications faced a variety of security incidents in recent years, with the leading causes being insecure use of APIs, vulnerable source codes, and compromised account credentials.
Two key concerns of deploying and managing cloud-based apps are the complexity and enlarged attack surface. As developers quickly spin up cloud-native (serverless or container-based) workloads, more attack surfaces will be exposed. Every function, API, and protocol in a cloud-native application presents a broader potential attack vector. In fact, an ESG survey on recent security incidents showed that insecure use of APIs was the leading cause of the cloud-native app stack’s susceptibility to attack.
The cloud-native architecture also adds complexity to security governance and control, as organizations must consider the various permissions, authentication, and access management issues. The increasing use of IaC comes with a higher chance of IaC template misconfigurations due to coding mistakes. Unfortunately, errors such as critical data leakage and unauthorized access to apps and sensitive data can’t be detected until late in the cycle. This makes it more challenging and time-consuming for organizations to manage.
Traditional application security testing (AST) tools were not designed for cloud-native apps, and therefore cannot provide adequate coverage, speed, or accuracy to keep pace with the demands of these modern applications. Legacy AST tools have poor visibility into modern app development and deployment architectures, as most API and serverless function calls are event-driven triggers, and some functions don’t have a public-facing endpoint or URL. While some vendors may tout best-of-breed static scans for cloud and serverless applications, the truth of the matter is that scanning code with limited to zero context is not an effective AST solution.
Effective API security can’t be done by merely protecting and blocking vulnerable APIs with web firewalls and monitoring tools. API-based apps need to be treated and managed as a complete development life cycle of their own. Just as the software app development life cycle goes through upfront planning and design, so must the API life cycle. Proper API design with API polices must be built into an organization’s overall business risk and continuity program.
Organizations must also perform internal housekeeping and build an inventory of all the API-based apps that can be used for risk assessment, classification, and quality control purposes. Ultimately, the goal is to focus on API-based apps that have the highest risk factors, and time and expert resource constraints.
The next step is vital—and the missing link in today’s API security practices. The ability to continuously test and verify vulnerable APIs (including custom, open source, and public-facing APIs) in real time is crucial. It is not enough to have an API tool that can discover all the APIs for each application and put up a firewall to allow traffic to access the API only if it adheres to a defined risk policy, for example. A better strategy is to expand API discovery capabilities to include dynamically testing, verifying, and triaging continuously during integrated application tests at runtime compilation with other open source and third-party codebases and APIs.
This is the essence of an effective API security strategy. An organization needs the ability to quickly identify and proactively test and remediate the apps with highest risk (as defined by its security policies and API risk classifications) before they go into production release. An API risk classification system can use criteria such as the application’s exposure (internal- or external-facing apps), the types of information it handles (e.g., PII/ PCI DSS, payment related), the record size that the app manages (which can get into thousands and millions), and the cost of data breaches, disaster recovery, and business continuity impact.
Gartner’s most recent cloud-native survey found that organizations are incorporating AST solutions such as software composition analysis (SCA), IAST, and API testing in addition to SAST and WAFs. Modern application security testing solutions such as IAST can help alleviate the burden of conducting security testing in DevSecOps environments, as it doesn’t require additional scans, triaging, or verification that adds time and test cycles to the continuous pipeline.
This year, Gartner raised the bar when it comes to cloud-native security capabilities. While API security, IaC, SAST, SCA, and IAST remained at the top of its list of critical capabilities, it also included dynamic application security testing (DAST) and application security posture management (ASPM) capabilities. It’s understandable why Gartner expanded the set of capabilities criteria. Cloud-native applications are built from the ground up to run in the cloud, therefore they require a modern security strategy that is holistic in scope and focused on delivering secure applications in the cloud. Development, DevOps, and security teams all need visibility and an integrated set of testing technologies including SAST, SCA, DAST, IAST, and API security testing to secure these modern apps throughout the entire code/build/test/deploy/run application life cycle.
Black Duck is pleased to be ranked at the top in the Gartner’s cloud-native use case for the second year in a row. The Black Duck portfolio of comprehensive and integrated AST offerings help organizations with cloud-native development and deployment needs, and aid in the ability to create secure code and infrastructure to run on seamlessly across multiple clouds. Teams can quickly identify, pinpoint, prioritize, and remediate risks at all stages of the application life cycle, both on-premises and in the cloud.
An advanced IAST tool like Seeker is unique and useful in securing cloud-native apps. It can detect, test, and validate all inbound and outbound API calls, whether they are API calls your app declares or shadow APIs. It also tracks and tests for commonly leveraged serverless functions, such as AWS Lambda and Azure Functions, without adding scan cycles and friction to the continuous pipeline.
Seeker does all of this autonomously in the background, while teams carry out normal development and QA test workloads. The tool provides DevOps and security teams with a highly interactive and visual map of all critical and sensitive dataflow, including vulnerable paths, potential secrets, and sensitive data leakage. Development teams get real-time information—from stack traces to vulnerability information detailed down to the line of code, as well as robust remediation guidance.
Seeker can discover all callable APIs using its instrumentation agents and can generate OpenAPI docs when users are missing API specifications. It can track and detect all application requests and responses with payloads in JSON, XML, or newer formats such as GraphQL, gRPC, and Kafka. And it provides a catalog of all the endpoints including untested, callable APIs, and URLs.
In addition to Seeker IAST, Black Duck offers complete, end-to-end application security testing and risk posture management solutions that help secure your cloud-native applications. Our Polaris Platform offers a single, integrated AST platform that is cloud ready. Teams can perform a multitude of scan type analysis and gain a holistic view into the organization’s risk posture. Polaris fAST platform enhances cross-collaboration between developers, DevOps and AppSec teams. Because it is SaaS based, organization can easily scale up or down testing based upon business demand and needs. There is no need for additional hardware, software or infrastructure setup, or provisioning. Polaris enables any team to quickly onboard hundreds of thousands apps and projects, perform multiple types of scan analyses concurrently, anytime, anywhere globally.
Code Sight™ lightweight SAST empowers developers to instantly detect and fix vulnerable code in their IDE. Coverity® static analysis, and Black Duck® software composition analysis helps secure IaC, containerized applications, and images.
The ultimate test of an application’s security posture is its ability to withstand attacks in production. With production-safe continuous testing that adapts to application updates and provides actionable results with near-zero false positives, Continuous Dynamic gives you the agility and the elastic capacity your organization needs to detect and respond to vulnerabilities in web applications before they can be exploited by threat actors. Continuous Dynamic is a true cloud based solution that requires no hardware or software components be installed, allowing organizations to scale dynamically and test at the speed their organization demands.
Black Duck provides a comprehensive portfolio of AST tools and services that can help your teams find and fix critical vulnerabilities such as access and authentication issues, cross-site scripting, and various types of injections quickly and painlessly.
Download the Gartner 2023 “Critical Capabilities for Application Security Testing” report to learn more about the Black Duck portfolio of AST tools and why Black Duck received the highest score for the cloud-native application use case.
Discover best practices for securing cloud-native applications, and why Black Duck is the leader in Gartner's 'cloud native applications' category.