In this blog post
A New Approach to Application Security
Organizations are being challenged by increasing demands for always-on, reliable, and secure application services to meet their internal and customer needs. This fuels an environment of rapid, iterative development and deployment of applications in production. To enable this agility, it has become ever more necessary for businesses to use models that allow them to automate their processes as much as possible. In this context, from an application security point of view, several new challenges and risks arise. Therefore, solutions that provide greater visibility and proactive control of vulnerabilities and attacks throughout the application life cycle (including QA and Production) are gaining critical importance.
GAVS conducted a webinar in collaboration with Hdiv Security, to discuss DevSecOps and how the IAST (Interactive Application Security Testing) and RASP (Runtime Application Self-Protection) approaches can help security teams detect vulnerabilities in their applications in real-time (including cloud environments) and protect their integrity even if the infrastructure has been compromised.
This blog captures some of the key discussion points and takeaways from the webinar titled ‘A New Approach to Application Security‘. The link to the entire webinar is available at the end of the blog. The panelists were the Global Head of Cybersecurity at GAVS and Daniel Lopez, Sales Director at Hdiv Security.
New Security Challenges in Software Development
With large scale adoption of agile development methodologies, there is constant incremental increase in application functionality features in very short time frames. There is also a surge in the move to the cloud, accelerated by the pandemic. While these are welcome changes, they have given rise to new security challenges. For instance, refactored code that was not originally built for the cloud creates vulnerabilities and opens the system to potential security threats.
Other security and operational issues include lack of time for team members to review apps manually, security solutions not fully adapted to the cloud, sub-optimal communication between security and dev teams, and complex security issues such as client-side vulnerabilities (Magecart), business logic flaws, Server-Side Request Forgery (SSRF), and untrusted deserializations.
Traditional application security protection like WAF (Web Application Firewall) helps block attack attempts on the infrastructure and applications. However, WAFs cannot provide application runtime observability and are not capable of handling several other security threats. Traditional approaches also suffer from an increased number of false positives resulting in alert fatigue, and the risks of losing sight of critical issues.
The Solution - DevSecOps
In the traditional software development approach, development, and operations teams work in silos. As a result, releases and deployments happen only at the end of the entire development cycle. Although DevOps integrates coding, builds, testing, pre-production UAT testing, and release management, organizations now prefer DevSecOps since Security and DevOps teams can work together on shared sprint goals to deliver agility, stability, and increased security.
DevSecOps has enabled the seamless integration of development, security testing, security protection, and operations into software development. This makes it possible to continuously detect and remediate security vulnerabilities and has resulted in faster, efficient releases of better quality, more secure software.
Today, there are several new next-gen tools for DevSecOps. These new offerings have drastically improved application security and have transformed the way different teams work together. IAST and RASP technologies that represent an evolution over legacy tools, help enterprises overcome security challenges in areas where the traditional security approaches are insufficient.
Unified Security for DevSecOps
A unified approach to application security needs to detect vulnerabilities in real-time and offer protection to applications in production from a broad range of attacks. It needs to embed security automation into the entire software development lifecycle and be capable of preventing even business logic flaws without customization. IAST and RASP work together in tandem to make these possible. Some of their key capabilities:
Detection (IAST)
- Reliable vulnerability assessment tool for all teams based on IAST technology
- Near 0% false-positive rate
- Ability to detect a wide range of problems
- Caters to modern architectures such as APIs
- Includes SCA functionality out of the box, even when the source code is not accessible
Protection (RASP)
- Solid attack protection based on RASP technology
- Full visibility of application internal architecture and runtime execution flow
- Actionable insights into what is under attack and what is not
- Automatic protection for security bugs that could not be remediated
- Prevention of business logic flaws and design flaws
- 100% cloud and container compatible
- Very low-performance impact
This blog offers only a high-level gist of the webinar. You can watch the entire discussion, including the poll questions, and the experts’ take on audience questions here.
GAVS periodically organizes insightful webinars with GAVS’ tech leaders, the leadership team, and industry thought leaders to explore current and emerging trends. To watch all of our other webinar recordings, please visit https://www.gavstech.com/videos/.
