DevSecOps
From DevOps to DevSecOps
APIs and web applications are being developed ever more agilely and rolled out faster than ever before thanks to DevOps. To ensure that security does not become a brake block, a Shift Left is necessary. However, automated security checks in development are not enough. For comprehensive security of APIs and applications, a shield right is needed at the same time.
Shift Left: Half the truth
Why is there a need for a shift left?
Application security is often addressed very late. All too often, this results in delays shortly before the productive roll-out. Increasing agility and ever shorter release cycles further increase this problem. The Shift-Left security model attempts to identify possible weak points earlier - for example, where they arise: in software development!
Example: If a developer is already made aware during programming that his new code is problematic, he can solve this quite quickly. If the same problem is only uncovered during a penetration test, this results in a much greater delay.
To ensure that ideas can be tested quickly and feedback obtained early, development, security and operations work together in the same team. Security tools are automatically integrated into every phase of the software development life cycle. The result: secure software with the speed of Agile and DevOps. Security thus becomes a cost saver and accelerator at the same time. Find out what this has to do with a shift left in our blog article "Leftward slide in security culture".
Cornerstone of Shift Left
Automated checks uncover potential problems before delivery:
- Software Composition Analysis (SCA): open source libraries and other code dependencies are checked for known security vulnerabilities.
- Static Application Security Testing (SAST): Your own program code is checked for anti-patterns and possible vulnerabilities already during development (white box).
- Dynamic Application Security Testing (DAST): The application running in the test environment is examined externally for vulnerabilities (black box).
Shift Left is not enough
Shift Left reduces the time and effort required to fix many security problems. However, the automatic checks are limited in their effectiveness:
- The automated checks primarily detect known vulnerabilities and typical programming errors.
- It takes an average of 200 days to fix a known vulnerability. During this time, the application must not be unprotected!
- Security testing does not protect against bots, denial-of-service or zero-day attacks.
Shield Right: Protection at runtime
Shield Right refers to the effort to comprehensively protect APIs and applications even during operation. Runtime protection is achieved through a combination of security building blocks:
- Web Application and API Protection (WAAP): comprehensive runtime protection against a wide variety of attack vectors through WAFs and API gateways.
- Identity and Access Management (IAM) + 2FA: User-friendly and strong authentication to prevent hackers from easily logging in (e.g. with stolen passwords).
Why is the "Shield Right" needed??
- Runtime protection bridges the time until the full patch.
- A modern WAAP solution can even thwart unknown attacks..
- The reuse of standard safety building blocks ensures more development speed and flexibility.
What do I have to pay special attention to with "Shield Right"?
Shift Left and Shield Right complement each other and provide all-round application protection across all phases of the software lifecycle. To avoid a gap between the two initiatives, runtime protection must be integrated as early as possible (link to benefits below).
WAAP meets DevSecOps:
Microgateways for agile application protection
Traditional application firewalls and API gateways tend to be centrally operated and are often incompatible with modern DevSecOps principles. Under these circumstances, application teams find it difficult to take more responsibility for security. In order for application protection to have its full impact in agile enterprises, microgateways are increasingly being deployed. Airlock Microgateway is a lightweight WAAP solution designed specifically for use in container environments.
Benefits of Microgateways
- Maximum autonomy for application teams: developers and DevSecOps engineers are given full control over application-specific security rules. When the application is updated, the customized security rules are rolled out simultaneously and autonomously.
- No costly delays just before release: The lightweight Microgateways ensures effective application protection already during development and in the test environment. Integration problems are thus detected early and practically eliminated.
- Infrastructure + Security as Code is a prerequisite for automating and embedding security in CI/CD pipelines. This means that changes to security rules are always made in a controlled, traceable and, if necessary, automatic manner.
- Zero Trust: Microgateways ensure effective implementation of the Zero Trust principle by shifting security checks away from the perimeter to the applications.