Skip to main content

Bringing cloud native application security full circle

著者:
wordpress-sync/feature-iac-drift-purple

2022年6月8日

0 分で読めます

The cloud has enabled organizations to build and deploy applications faster than ever, but security has become more complex. The shift to cloud has created a world where everything is code — not just the applications, but also the infrastructure they run on. So, any security issue within an application or cloud environment can put an entire system at risk. And keeping that cloud native application stack secure is increasingly the responsibility of development teams.

This means developers are now concerned with the security of their first party code, the open source dependencies they use, the containers and infrastructure as code (IaC) used to deploy the application, and even the continued security of the application and its run state configuration.

In this post, we’ll discuss the need to bring application security and cloud security together to deliver more secure cloud native applications.

Cloud native security during development

Effective cloud native application security starts with scanning for vulnerabilities during development. Finding and fixing vulnerabilities as the code is written improves the security of the application itself, and this same approach can also be used for the cloud.

Today’s cloud environments are essentially applications because they consist of Dockerfiles for containers and IaC configurations that are both similar to code. That means these files can be scanned to detect and remediate potential vulnerabilities during development. Since misconfigurations are one of the most common types of cloud vulnerabilities, they’re a substantial risk area for cloud native applications that should be discovered within these cloud files early on.

Strong cloud native app security starts with shifting security left by automatically scanning all the components of software — from first party code and open source dependencies to containers and IaC configurations. And this needs to be done with tools that developers want to use, since they’re the ones accepting the responsibility.

Comprehensive security in the cloud

The cloud is highly dynamic and ephemeral, meaning most cloud infrastructure is constantly evolving. It’s crucial to put measures in place to secure the cloud environment where the application will be deployed, and consider runtime security beyond the original source files.

Since IaC configuration changes can be automatically executed in a manner of minutes, configuration drift becomes a real risk. This occurs when the current state of the cloud infrastructure no longer aligns with its IaC definition. Continuously monitoring cloud infrastructure managed by IaC for deviations is crucial for reducing the risk of data breaches, application downtime, and deployment failures.

Effective cloud security goes beyond the development stage by monitoring for new vulnerabilities in production and mitigating potential cyber attacks once the application is running in the cloud.

Connecting cloud security back to the code

Monitoring for security threats when the cloud native application is running in production provides valuable insights, but this information still needs to be connected to the source code and configuration files. That’s because persistent security patches need to be implemented in the code itself rather than the live environments that these containers and IaC definitions generate.

However, most security tools fail to deliver runtime insights back to the engineers who will actually be fixing the issues. This makes it difficult to determine the root cause of a vulnerability that was detected in production, which leaves the entire cloud native application at risk.

Therefore, the most complete implementation of cloud native application security requires vulnerability scanning and actionable insights from the code to the cloud and back to the code again.

Break down security silos with Snyk

Today’s cloud native applications require comprehensive security for every component of the application across its full lifecycle. That’s why Snyk combines application security, configuration security, and cloud security into a unified platform that engineers can use to improve the security posture of their cloud native applications.

Snyk’s acquisition of Fugue brings cloud security posture management into the DevSecOps workflow, connecting the cloud runtime context back to development teams. This helps prevent configuration drift for IaC resources and provides actionable feedback for remediating issues detected in the cloud.

The Snyk integration with Sysdig will also deliver the runtime context to engineers, particularly for Kubernetes deployments. Sysdig monitors containers deployed using Kubernetes, profiling everything running in each container in real time. This gets linked to Snyk’s list of vulnerabilities so that developers can prioritize their remediation based on their potential risk exposure.

Besides uniting cloud security and configuration security, Snyk also scans all the components of the cloud native application stack: the application code, open source dependencies, container images, and cloud configurations. In short, scanning every component from development to product, and delivering runtime insights back to engineers, brings cloud native application security full circle.

Want to learn more about developer-first cloud security? Download our latest white paper: Securing Cloud Applications from Code to Cloud (and Back to Code)