Securing cloud native applications: ActiveCampaign’s VP, Information Security provides perspective

Cloud native has been a growing trend as organizations shift away from on-premise infrastructure and longer software release cycles towards a more iterative development approach using cloud-based tooling and infrastructure. While cloud native applications enable rapid deployments and greater scalability, this emerging software approach also introduces security challenges.

During a recent webinar, Best Practices for Securing Modern Cloud Native Applications, Simon Maple, VP of Developer Relations & Community at Snyk spoke with Chaim Mazal, VP, Information Security at ActiveCampaign, about the changing application security landscape and the impact it has had on ActiveCampaign. Here’s what they had to say.

How modern applications have changed

In the past, applications consisted mostly of developers writing custom code and pulling open source libraries, while operations teams looked after the servers, VMs, network, and other infrastructure required to run the software. Cloud native development—where companies adopt DevOps methodologies, microservice architectures, containerization, and more—is changing the scope of modern applications.

“When you think about the fact that you wrap your custom code and open source libraries within your Docker container, including Infrastructure as Code or other configuration files to deploy onto your environment,” Maple said, “people are deploying not just code, but they’re deploying their environments, really.”

This increased scope for applications brings additional security concerns that are becoming the responsibility of developers. That means, along with vulnerabilities in the code and open source dependencies, application security now involves other aspects such as containers, config files, and more.

The evolving modern technology stack

“We’ve all heard the buzzword,digital transformation, moving across into a cloud environment,” Maple said. “There is an amount of additional security concerns that flow to the developer as a result of the scope of applications and the responsibility of developers changing.”

ActiveCampaign, which helps over 150,000 businesses across 170 countries around the world better connect and engage with their customers, is one example of a company modernizing its tech stack. Through automating marketing, sales, and many other business processes, the ActiveCampaign platform optimizes customer experiences at scale.

The enormous growth and scale of ActiveCampaign required a new approach to software development to continue delivering new features and integrations at a rapid pace. In fact, the company’s tech stack has continued to evolve from its initial monolithic PHP application to include containerized Python and Java microservices, a .NET landing page application, and JavaScript for the platform’s frontend. Even with such a diverse tech stack, ActiveCampaign never compromised on security.

“Snyk covers all of these technologies,” Mazal explained, “It didn’t matter what stage we were in or our current evolution of actively deploying and maintaining our software. We’re able to get full [security] coverage through a lot of the tooling that has been provided by Snyk.”

A developer-centric security approach

With ActiveCampaign’s shift towards developer empowerment, the company’s security engineers wanted a tool like Snyk that’s developer-centric and could be easily integrated as part of regular development processes. This DevSecOps approach has enabled ActiveCampaign’s developers to push code at their own cadence within the confines of guardrails that prevent new security vulnerabilities from being introduced.

“Security is a cultural value at ActiveCampaign,” Mazal said. “Everyone owns security, but our security team helps drive and enable the availability for teams to be successful with minimal interference or drag. Having guardrails, but flexibility is key to the whole thing.”

Security within the software supply chain

Today’s software supply chain often consists of custom code, open source dependencies, containers, and Infrastructure as Code (IaC). Snyk has security scanning solutions for each of these risk areas, which ActiveCampaign has adopted for comprehensive cloud native application security.

Implementing security scanning within local development environments tools like IntelliJ IDE and the command line enables ActiveCampaign to detect most issues before they reach their staging environments. In the past, most companies would detect security vulnerabilities and software bugs mostly in staging and production environments, so this proactive approach enables real-time feedback during development.

“Today, we’re able to get real-time feedback in local dev and through our CI/CD pipeline using a bunch of integration and toolsets,” Mazal said. “This allows us to get continuous, instantaneous feedback at the earliest inception of code so that developers can make timely decisions that reduces the risk across our platform.”

Security tooling is critical

As companies introduce additional technologies, application security and visibility become much more challenging. By investing in the right security tooling, however, organizations can leverage automation for continuous feedback and vulnerability remediation within existing development processes. That way, companies can more easily scale their security efforts across the organization without any barriers to adoption.

“If you don’t have the right tooling in place or you don’t have visibility, and it’s hard to make the right adjustments,” Mazal explained. “Without a quick and easy way to get instantaneous feedback, it’s very hard to make continuous iterations that improve your overall risk posture.”

With Snyk, ActiveCampaign also has in-depth dashboarding and metrics that the company didn’t have before. Granular statistics at the product and team level create healthy competition at ActiveCampaign that helps drive the organization’s developers to do the best job that they can.

In addition, actionable data enables ActiveCampaign to iterate its existing DevSecOps processes to improve its security posture going forward. Developer-friendly tooling that’s built for cloud native applications, therefore, is critical for today’s application security teams.

We hope you enjoyed reading the highlights from Snyk’s conversation with ActiveCampaign about the changing application security landscape. If you’re interested in learning more about ActiveCampaign’s shift to cloud native and the company’s adoption of Snyk, you can watch the full webinar here.

Optimizing the DevOps experience on AWS

As an AWS customer, ActiveCampaign is constantly looking for new ways to optimize their flexibility in using services like Amazon ECR and Amazon EKS to manage their container workloads.

“If you look at our staging and production at a high level, we use Elastic Load Balancers, Elastic Kubernetes Service (Amazon EKS)… we are using Amazon’s container registry (Amazon ECR) as well now, and we’re doing some very cool things with Snyk to make sure that everything that exists within that registry is monitored so that we can’t introduce anything outside of what’s been tested, which has been extremely helpful... This is how we make sure that all of our containers and images have been approved and verified, making sure we don’t pull in anything else along the development pipeline. The developers will use Snyk to ensure they don’t have any vulnerable packages in their code. By the time an image gets published to Amazon ECR, we’ve provided [developers] with standardized tooling that allows us to be able to have full insight and not have to ask questions like “Hey, where’d you pull that image from? A random registry on the internet? Where are you getting that base container image?”

In partnering with modern security vendors like Snyk, ActiveCampaign’s engineering team can build applications with confidence, letting Mazal’s team manage governance in the organization, while development teams use Snyk’s integrations across the AWS toolset to automatically detect vulnerabilities in container workloads on Amazon ECR, and monitor Amazon EKS clusters for new vulnerabilities and misconfigurations, all while accelerating delivery of cloud native applications.