Serverless Security
A Complete Guide to Cloud-Native Application Security
Explore this comprehensive guide to application security, which provides an overview of the importance of embedding runtime application security controls in the application build workflow to protect cloud-native web applications and APIs.
There has been a notable surge in the use of web applications, but they can cause strain on the application development teams that build them. The increased use of cloud-native applications raises a new set of challenges due to the high rate of code changes and fast pace of development. This increases the potential to introduce software bugs and security vulnerabilities. According to Verizon’s 2020 Data Breach Investigations Report, the majority of breaches were caused by web application attacks, making it the top hacking vector amongst breaches.
Evidently, there is the need for better protection and visibility. Applications that are not secured and monitored continually are a prime attack target for cybercriminals trying to disrupt organisations. This article will explore the background of cloud-native applications, best practises for securing, and choosing the right solution for your needs.
Adoption of Cloud-Native Applications
With enterprises developing applications at lightning speed, technology trends have shifted from traditional monolithic web applications development to modern microservices and serverless architectures. This allows organisations to deliver applications and their updates at a more rapid and required pace.
This has increased the challenge for development and security teams to work together to ensure cloud native applications are adequately protected from attacks. This is achieved through instilling a defence-in-depth strategy that crosses the continuous integration and continuous deployment methodology (CI/CD). Traditional security controls don't provide the security needed to protect cloud platforms. You need a modern, cloud-native instrumented system to gain the visibility needed for today’s cloud-native threats.
Securing Your Cloud-Native Applications
Security processes can encompass the early stages of the cloud-native application life cycle. While developers are committing code and building container images, security protocols must be in place to identify open source, container image, and registry security gaps such as vulnerabilities and malware to help mitigate risks early and reduce costs. However, as applications remain vulnerable at runtime while they are deployed, security professionals must consider all avenues of threats and should not be complacent when it comes to securing the full application life cycle. From code changes that have not been tested but slip through to production, to zero-day attacks, runtime applications will continue to require examination.
Whether building applications on-premises, as a container in the cloud, or using serverless designs, security tools shouldn’t interfere with the development pipeline nor the end-to-end visibility, monitoring, and detection is a top priority for security champions to manage.
Traditionally, organisations have protected their application using network protection tools ranging from network firewalls, intrusion prevention systems (IPSs), or web application firewalls (WAF). However, it has become a realisation that these controls are limited to looking at the web traffic and lack the visibility into the running application.
While a WAF adds an extra layer of protection, today’s attacks can bypass the WAF with automated tools. Additionally, maintaining a WAF requires a lot of heavy lifting. You need a team that can monitor its complexity, ensure proper configuration or adherence to rules, develop expressions, and input validation, which adds up to a lot of time and money on top of existing licence costs.
Application security is deployed quickly and provides deep instrumentation and continuous detection and protection before cybercriminals can infiltrate the application. Organisations are shifting to runtime application security, which allows them to embed security controls directly into the application by default.
This facilitates the increasing speed of development and the ability to build applications that can be pushed to public cloud environments and services with the security controls built in. By helping protect your application immediately upon deployment, security teams can be assured that applications across modern platforms are going to be able to prevent threat actors from penetrating the application. This also allows development teams to gain better insight and remediation steps to identify security gaps at runtime.
To do that, several technologies are available to help developers catch security flaws before they’re baked into a final software release.
However, these tools have downsides that may cause more challenges for DevOps teams:
SAST has difficulties scanning and reporting on cloud-native applications because static tools only see the application source code it can follow. As more cloud-native apps are now developed with libraries and third-party components, this generates failures in the tool processing these links.
DAST interactively testing the applications from the outside requires the application to be fully built upon every code change. As DAST requires the application to be fully built upon every code change, this prevents the application from fitting well into an agile CI/CD pipeline. It also only provides an external view of security, while forgoing what’s happening inside the application.
Both SAST and DAST are older technologies which provide less effective security for cloud-native applications and can impede on faster agile deployment strategies where DevOps teams require security tools to keep up with the pace of development.
IAST is an evolution to combine the benefits of both SAST and DAST with a developer-friendly approach. It is designed to work with development, testing, and/or QA environments to identify security vulnerabilities inside the application. In addition, it can be used in production environments to test traffic rapidly. This instant feedback can then be easily used to remediate via automation, or back to the developer, for code changes—typically actioned in the next application build.
There is an urgent need to implement modern security that will protect production applications from malicious and unforeseen threats in real time. Through deep instrumentation, application security must be able to detect weaknesses and vulnerabilities across today’s modern code streams—as well as platforms like APIs, containers, and serverless applications—without deploying numerous tools and relying on multiple skill sets.
Application security must also bring greater value to both security champions and application engineers by deploying security that can improve the pace of remediation and response. This allows organisations to monitor traffic and block attacks in real-time.
A New Type of Application Security is Needed: “RASP”
Gartner defines runtime application self-protection (RASP) as, “a security technology that is built or linked into an application or application runtime environment and is capable of controlling application execution and detecting and preventing real-time attacks”.
RASP provides a level of visibility and detection that network security controls cannot achieve by operating within the context of the application. Instead of monitoring the application for potentially malicious inputs, RASP only processes inputs that could change the behaviour or operation of the application.
RASP has two modes:
- In detect mode, the software monitors calls to the application and sounds an alarm if a suspect call is made.
- In mitigate mode, RASP can prevent the execution of suspect instructions or terminate a user session.
This approach has the potential to increase accuracy without significantly impacting the performance of the application.
Benefits of RASP
- Security is provided anywhere you choose to place your application
- Embedded via code so doesn’t slow down development
- Offers real-time protection and insight at runtime
- Vulnerability coverage is comprehensive and automatic
- Works at scale and tailored for scaling applications
- Provides insight into the application behaviour that perimeter security lacks
Introducing Trend Micro Cloud One™ – Application Security
Application Security is an evolution in protection, providing real-time application security-as-a-service. Delivered as part of its industry-leading Trend Micro Cloud One™ platform, Application Security provides code-level visibility and protection against the latest cyber threats from the inside. You can quickly and easily build protection into your application with just two lines of code, helping to minimise your risk and deliver greater visibility into the safety of your applications.
Application Security allows you to:
- Detect and block vulnerabilities and malware automatically at runtime
- Gain visibility into application threats with detailed forensics that investigate right down to the line of code
- Utilise protection that is difficult to evade or bypass
- Analyse the execution of the app
- Instal IPS rules for vulnerabilities in web applications
- Use broad platform support to maintain your legacy applications and security for modern architectures. This including containers and serverless compute environments
- Use broad language support for traditional application designs, as well as cloud-native architectures
- Manage centralised visibility and control with Trend Micro Cloud One management
Application Security reduces the need for multiple application security tools across old and new platforms as well as coding languages. This security provides active guardrails and runs as a passive background process that doesn’t interfere with your release pipeline and schedule.
Once deployed, Applications Security notifies your security and operations teams according to pre-configured policies and provides them with highly accurate attack forensics to facilitate an effective response.
In addition, Application Security guards against determined attackers who are continuously running scanners against your application, creating malicious user accounts, fuzzing various elements, triggering exceptions, and attempting to run exploitation tools.
Trend Micro Cloud One Secures Your Applications at Runtime
By embedding Application Security in your applications, you will receive alerts as soon as attackers begin conducting scans and attacks. You won’t just be able to stop runtime attacks before they occur, but the capability for developers to pinpoint vulnerabilities in their code that the attack could exploit.
Whether applications are developed in-house or by a third parties, code identification helps DevOps and security operations teams prioritise their response and take effective next steps to resolve security issues. Using the Trend Micro Cloud One platform, teams can implement a range of security services and compliance cheques alongside Application Security without hindering agile cloud development and deployment processes.
Application Security 101 outlines the top-most common risks to applications that software developers should be mindful when securing code. The Open Web Application Security Project (OWASP) foundation has a comprehensive list of risks of web applications and APIs. While Application Security protects against all OWASP listed risks, it is important that developers are aware of the most common application security risks:
Insufficient logging and monitoring. Lack of capability in detecting threats could allow malicious actors to tamper, extract, or destroy data, as well as further attack systems, maintain persistence, and pivot to more systems.
Injections. Flaws in or improper configuration of SQL, NoSQL, OS, and LDAP can be abused in injection attacks. For example, untrusted data may be sent to a code interpreter through a form input or other data submission methods to a web application. This could lead threat actors to use hostile data to trick the interpreter into executing malicious commands or providing unauthorised data access.
Data leaks and exposure. Web applications that do not properly protect sensitive data could allow threat actors to steal or modify weakly protected data. They could also conduct malicious activities such as credit card fraud and identity theft, amongst others. Improperly configured or badly coded APIs could also lead to a data breach.
You can address each event manually or you can configure Application Security to react automatically to attackers, stopping them in their tracks before any damage is done.
Most importantly, real vulnerabilities are not exploited because of the runtime protection, and your developers will have code-level information regarding the vulnerability that they have an immediate feedback loop to fix. Application Security helps you accelerate time-to-market for the software without compromising security.
Next Steps: Requirements to Get Started
Setup is simple. All you need is a Trend Micro Cloud One account, with Application Security enabled. Sign up for the free trial now and get access to the entire Trend Micro Cloud One service platform.
How to Get Started with Deployment
Instal the Trend Micro Cloud One™ – Application Security Agent
Follow the simple steps here to deploy a new agent into your application.
a. Integrating an agent into your application depend on your supported framework. The supported platforms are:
i. Python
ii. Node.js with Express
iii. PHP
iv. Java
v..NET
We will continue to add new frameworks to our supported list based on market demand.
1. Define security policy
The runtime security policy identifies the rules and procedures to secure your application.
2. Embed micro-agent into code
Application Security only takes a minute to add the agent to your application. You are not required to change your application code.
3. Deploy app
The agent will discover the make-up of the cloud-native application, enabling it to automatically defend your organisation.
4. Protect and monitor the app
Application Security acts automatically and notifies the security teams according to pre-configured rules with specific attack forensics.
You’re ready to protect your modern cloud apps from attacks. Want more? Check out our documentation site to explore customisable APIs, user guides, and see what’s new.