Application security: 3 important pillars of engineering ecosystem security

The engineering ecosystem has experienced a huge paradigm shift, with more languages, frameworks, and minimum technical or procedural obstacles to adopting new technologies or implementing third-party tools and frameworks. This arises as organisations race to deploy new features and cloud apps as rapidly as possible in order to remain competitive.

Many organisations have utilised continuous integration and continuous delivery (CI/CD) solutions for more automated and agile software testing, developing, and deploying procedures to speed up development and deployment. With 77% of organisations now sending new or modified code to production weekly and 38% committing new code daily, this move has brought unparalleled velocity, flexibility, and agility to engineering.

Speed is great, but security must never be compromised. The engineering ecosystem is quickly becoming recognised by criminals as a danger vector that is both simple to target and ripe for exploitation, with significant and lucrative repercussions. The infamous Solar Winds assault happened when a build system was compromised, resulting in malware being sent to 18,000 customers. Another recent example is the successful infiltration and disruption of CircleCI, a leading CI/CD platform that stores highly private client secrets and tokens. These examples demonstrate how a single insecure piece in an engineering context can have far-reaching implications.

The engineering ecosystem is sometimes overlooked because security teams are more concerned with eliminating runtime misconfigurations and vulnerabilities than with addressing vulnerabilities throughout the full attack surface. Because of this new reality and escalating assaults, we must reconsider application security – the overarching security umbrella that covers the engineering ecosystem. The conventional AppSec problem of preventing security issues and misconfigurations from reaching production is far more complicated. Simultaneously, there is a completely novel category of risks and threats focused on exploiting security defects in various systems and procedures throughout the software delivery chain, from coding to deployment.

Developing the Groundwork for a Successful Application Security Program

A modern engineering ecosystem’s effective application security program can be divided into three disciplines:

1. Security in the Pipeline (SIP)

SIP seeks to prevent security issues and misconfigurations from reaching production settings by targeting the code and artefacts going through the pipeline. In SIP, we must regularly discover all development languages and frameworks in use across an organization’s entire codebase and guarantee that scanners and engines specialised to those languages and frameworks are seamlessly woven into the development process.

This ensures that no new bugs are introduced into the codebase and that old bugs are steadily eliminated.

2. Security of the Pipeline (SOP)

SOP focuses on the security posture of each individual system in the software delivery chain, from coding to deployment, as well as the interconnection between these systems and the third parties they employ (the software supply chain). The SOP is based on the realisation that the engineering ecosystem has become a profitable target for adversaries, who have discovered that engineering ecosystems provide a highly effective mechanism to run malicious code in sensitive environments and acquire access to extremely vital secrets and tokens. Unlike SIP, which focuses on the code and artefacts moving through the software delivery chain, SOP focuses on the security controls and procedures that surround the delivery chain itself.

3. Security Around the Pipeline (SAP)

SAP aims to safeguard the security of the software delivery chain and to apply the necessary controls to prevent anyone, including humans and applications, from circumventing it. In fact, achieving excellent SIP and SOP is only partially successful if an attacker can directly push code to production or deploy a malicious container to K8s. In order to accomplish effective SAP, we must be able to answer two key questions:

• Is the software delivery chain responsible for everything that is running in production? Was everything subjected to all necessary checks and controls?
• Are all of the necessary visibility and posture controls in place to prevent the software delivery chain from being circumvented?

Effective application security must now go well beyond the traditional scope of code scanning and must match today’s engineering environment. SIP, SOP, and SAP are all about accelerating engineering while maintaining risk and security management. Organisations may guide their security and developer teams to construct modern, safe, and scalable engineering ecosystems in the cloud by focusing on these three disciplines.