Unveiling a Paradigm Shift in Application Security for Cloud-Native Environments

Gregg Ostrowski, with over 25 years in tech leadership positions in- cluding Research in Motion and Samsung, where he was responsible for enterprise services, developer relations, sales engineering. Having worked across F1000, public sector and partners, Gregg helps companies succeed with digital transformations, mobility application deployments, DevOps strategies, analytics and high-ROI business so- lutions.

In conversation with Prisila, Correspondent, Asia Business Outlook Magazine. Gregg emphasized incorporating security throughout the modern application development lifecycle. He also highlighted the role of business risk insights in detecting and addressing security threats in cloud-native environments.

How can organizations effectively integrate security into the entire lifecycle of modern application development?

Rapid digital transformation to meet constantly changing customer needs and enable hybrid work has meant a dramatic increase in release velocity. But application security simply hasn’t kept pace. In recent research from Cisco AppDynamics, 92% of technologists admit that rapid innovation during the pandemic has come at the expense of robust application security.

Across all industries, there is an acknowledgement that organizations need to take a new approach to application security, not just to avoid a potentially crippling security breach, but also to lay the foundations for a more sustainable approach to innovation. In particular, technologists know that they need to tighten up their security processes if they are to reap the full benefits of modern application stacks over the coming years.

One of the principal ways in which organizations are looking to address the challenge of application security is by moving to a DevSecOps approach, fostering much closer collaboration between DevOps and SecOps teams. It integrates application security and compliance testing throughout the software development lifecycle, rather than them being an afterthought at the end of the development pipeline. This new approach enables developers to embed robust security into every line of code, resulting in more secure applications and easier security management, before, during and after release.

In what ways can business risk insights help in identifying and mitigating security threats in the cloud-native environment?

The shift to modern cloud-native applications has led to a dramatic increase in attack surfaces, with organizations increasingly vulnerable to revenue and reputation-impacting security risks. According to Red Hat, 93% of businesses have experienced at least one security incident in their Kubernetes environments in the past 12 months - and 31% have experienced financial or customer loss as a result.

In order to protect their customer data and the reputation of their organizations, IT teams need to act quickly and decisively. And this means ensuring they have the tools, insights and working practices to bring together applications and security teams to securely develop and deploy modern applications. Crucially, businesses need to apply business context to their security findings so that teams can rapidly locate, assess and prioritize risk, and then remediate issues based on potential business impact.

Organizations need clear visibility of each new security risk with real-time vulnerability analytics. So, security teams must be able to quickly assess risks based on potential business impact, align teams and triage threats. And to do this they need to rapidly understand where vulnerabilities exist across application entities - business transactions, services, workload, pods and containers - so that they can quickly isolate them. They then need to assess the severity of these risks, the likelihood that they will be exploited and the risk to the business of each issue. 

This type of business risk observability is essential for technologists to understand and prioritize risks. By combining application performance data and business impact context with vulnerability detection and security intelligence, IT teams can prioritize security issues with a business risk score, which allows them to easily identify which business transactions present the greatest risk to the business. For instance, they can assess the sensitivity of customer data associated with a particular business transaction or calculate the potential loss of revenue.

"The shift to modern cloud-native applications has led to a dramatic increase in attack surfaces, with organizations increasingly vulnerable to revenue and reputation-impacting security risks"

What strategies can organizations adopt to foster collaboration between application and security teams for more secure development and deployment practices in cloud-native environments?

While there is almost universal appetite for DevSecOps, there are still a number of challenges that technologists are encountering as they look to make the transition to this new way of working as seen in our Cisco AppDynamics research.

To ensure a smooth transition to DevSecOps, IT leaders need to address the skills gap, bringing in high quality security talent wherever they can. Because the shift to a DevSecOps approach requires all technologists, whether they are DevOps, ITOps or SecOps, to broaden their skill sets to be able to operate effectively as part of an integrated application team

Also, technologists need to become less skeptical and suspicious of other IT functions, and more transparent about their work. They need to embrace new processes and structures, based around collaboration, mutual understanding and recognition. So, IT leaders need to highlight the benefits of DevSecOps, not just in terms of improving the organization’s security posture, but in easing the pressure on technologists. With DevSecOps, IT teams can leave behind the firefighting that is inevitable with current approaches to application security, and take a more proactive approach. 

And a successful DevSecOps approach depends on technologists from all disciplines having unified visibility across all IT environments to detect, understand and troubleshoot issues quickly and easily. But more than two thirds of technologists state that their current security solutions work well in silos but not together, meaning that they can’t get a comprehensive view of their organization’s security posture.  Therefore, organizations need to embrace automation for continuous detection and prioritization, as it reduces human error, increases efficiency, and drives greater agility in development.

Finally, 59% of technologists admit that they are overwhelmed by the volume of security threats and vulnerabilities to their organization. Given the volume of new security threats which organizations are facing, artificial intelligence and Machine Learning is now essential to identify gaps, predict vulnerabilities and automate processes to remediate any security holes. As bad actors ramp up their use of AI and ML, it’s vital that enterprise security teams don’t fall behind. 

AIOps extend human capabilities in multiple cybersecurity tasks, including monitoring, assessing, and resolving security issues - freeing up security teams to focus on higher- value issues and enabling them to collaborate more effectively and strategically throughout the development lifecycle.