In a recent interview with Lotem Guy, VP of Product at Cycode, providing an innovative Application Security Posture Management (ASPM) platform for code to cloud, we discussed the rapidly evolving landscape of application security. In recent years, application security has quickly expanded beyond mere code security, broadening the definition of modern application security.
“I think we see that the application security landscape has been getting wider and wider in the last couple of years. It’s not just about code security anymore, which is more of the historical application security definition,” Lotem added. The focus has shifted from just securing application code to embracing what Lotem refers to as “code to cloud”, encompassing everything from the code itself to the development pipeline and the deployment and runtime in the cloud.
Gaps in Security and the Rise of Modern Attacks
One of the most potent points in the interview revolves around the unaddressed areas of modern application security. While code and cloud AppSec solutions have evolved, the areas in between remain a significant gap.
“But everything in between is really not covered, and when we see modern attacks today, they’re targeting exactly that, the non-covered areas of your software supply chain.”
The areas “in between code to cloud” refer to the entire software development lifecycle, encompassing all the stages and processes that code goes through from being written by developers to being deployed and run in a cloud environment.
Here’s a breakdown of those areas from a code and development point of view:
- Source Code Management (SCM): This includes the repositories where code is stored, versioned, and managed. Secure handling of code at this stage is essential to prevent unauthorized access and code manipulation.
- Continuous Integration/Continuous Deployment (CI/CD): CI/CD pipelines automate the building, testing, and deployment of code. This includes build automation, automated testing, integration with other parts of the software, and preparation for deployment. The SolarWinds and Codecov attacks mentioned in the interview targeted the build process within this stage.
- Third-Party and Open Source Code Integration: Modern development often relies heavily on third-party libraries and open-source components. Vulnerabilities in these components can introduce security risks.
- Secrets Management: This refers to the handling of sensitive information like API keys, tokens, passwords, etc. If mishandled (such as hardcoded secrets), this can create significant vulnerabilities.
- Configuration Management: Ensuring that all configurations across development, testing, and production environments are consistent and secure is crucial. This involves server configurations, network settings, and access controls.
- Containerization and Orchestration: Many modern applications are containerized (using technologies like Docker) and orchestrated (using tools like Kubernetes). Misconfiguration at this stage can lead to vulnerabilities.
- Cloud Deployment and Runtime Security: Once deployed to the cloud, applications need to be continuously monitored and secured against potential runtime vulnerabilities. This includes access control, encryption, monitoring, and logging.
- Software Composition Analysis: Analyzing the components of the software, including third-party and open-source code, to identify potential vulnerabilities.
- Collaboration and Productivity Tools Integration: The interview also touched on how secrets might be mishandled in tools like Confluence, Slack, and S3 buckets, which are often used to collaborate and share information across development teams.
The challenges highlighted in the interview emphasize that while there are distinct solutions for code security and cloud security, the “in between” areas encompassing these various stages and aspects of the development lifecycle are often less well-covered and protected.
These areas represent a broad and complex landscape with numerous potential weak points that malicious actors might target. Cycode’s approach aims to address these challenges by providing a comprehensive solution that spans these areas, offering a unified platform for managing and enhancing the security posture across the entire software supply chain.
Lotem brings up well-known examples like SolarWinds and Codecov, where attackers exploited unsecured parts of the build process to plant backdoors, illustrating the need to secure the entire software supply chain.
Addressing Hardcoded Secrets
Cycode’s approach to resolving the issue of hardcoded secrets in cloud-based workspaces reveals a strong response to a common vulnerability: “So in this uncovered or area of the software supply chain, stealing secrets for attackers and using them to get inside an organization or just to get inside their services – it’s kind of the easiest and quickest win.”
Hard-coded secrets, such as passwords and API keys embedded directly into the source code, present significant security risks, including vulnerability to attacks, management complexity, and compliance issues. Lotem emphasized the importance of avoiding hard-coded secrets through the use of secret management tools, automated scanning for detection, collaboration and education among development and security teams, and, in some cases, encryption. These measures align with a broader shift towards integrating security early in the development cycle, mitigating the risks associated with this common yet critical vulnerability.
Cycode’s expanded detection capabilities, including integration with Confluence, AWS S3 buckets, and Azure, represent a proactive measure to identify and remediate those hidden risks.
Cycode’s Unified Platform and Client Impact
Lotem further highlights Cycode’s ASPM (application security posture management) platform, showcasing its breadth of capabilities. From code security and software composition analysis to CI/CD pipeline security and cloud security, Cycode integrates with various Software Development Lifecycle Tools, providing continuous analysis.
One particular success story he shares involves a large enterprise client that was able to prioritize risk management and remediation through Cycode’s platform, leading to significant time savings compared to traditional approaches. The enterprise has approximately 100,000 repositories across thousands of organizations within the company. This company previously struggled with a long-term development project that ultimately failed. With Cycode, they were able to scan and prioritize security issues across all repositories swiftly, implementing a comprehensive posture management system for code security. The integration enabled early risk identification, quick remediation, and unified management, significantly reducing their time to value and demonstrating Cycode’s capability to streamline security processes in complex environments.
Emphasizing Collaboration and “Controlled Shift Left”
An interesting concept discussed by Lotem is the “controlled shift left.” This concept in software development refers to a systematic integration of security practices early in the software development lifecycle. By embedding security during coding and design stages, this approach aims to identify and mitigate vulnerabilities earlier, reducing risks and potential costs. The “controlled” aspect emphasizes a balanced and tailored approach, fostering collaboration between development and security teams, continuous monitoring, and alignment with compliance requirements. This method allows for a blend of rapid development without compromising security and is part of Cycode’s emphasis on bridging the gap between code and cloud security.
Conclusion: Lotem’s Top 3 Best Practices
Lotem concluded the interview with three valuable pieces of advice for organizations that create cloud applications:
- Coverage and Understanding Risks: Lotem emphasizes the importance of understanding the areas where an organization is not covered from a security perspective. By identifying the highest risks and the areas where attackers may have an advantage, organizations can prioritize and implement proper security measures. The goal is to ensure comprehensive protection across the development landscape, including previously neglected or overlooked areas.
- Choosing the Right Tools: This piece of advice highlights the need for choosing security tools that are both effective and easy to operate. Every tool has an operational cost, so it’s essential to select tools that not only cover the vulnerabilities but also don’t create operational headaches. Ideally, these tools should also solve other operational challenges, providing a seamless integration within the development process.
- Shifting Left and Collaboration: Lotem’s final advice underscores the importance of the “shift left” approach in application security, emphasizing the need for collaboration between security and R&D or development teams. By integrating security considerations early in the development cycle, and doing so in a controlled manner, organizations can be more effective in remediating risks. The key is to foster a culture where both developers and security professionals work together, ensuring that security becomes an integral part of the development process, rather than an afterthought or a hindrance.
The insights shared by Lotem Guy emphasized both the gaps and the solutions that are shaping modern application security. His perspective illuminates Cycode’s holistic approach to security, encompassing everything from hardcoded secrets to continuous scanning and the importance of controlled collaboration. The future of application security is in this integrated approach, where risks are not just identified but effectively managed and remediated across the entire development life cycle. For more information about Cycode, visit https://cycode.com