CloudNative-BG-cover.qxp_Layout 1 10/27/21 3:40 PM Page 1
Cloud-Native Development A GUIDE FOR BUYERS
SD Times
November 2021
www.sdtimes.com
loud-native development has become the de facto way that companies make new apps due to its speed and cost savings. While it has opened up the world of Kubernetes, containers, and serverless to most organizations, they still need to grapple with certain complexities and security concerns that this style of development brings. Concerning the use of modern, cloud-native application services such as microservices, functions as a service, containers, and container orchestration frameworks (Kubernetes), more than 80% of developers report that their organizations are in the process of implementing, in the process of piloting, or already using these services, according to the IDC report “PaaSView and the Developer 2021.” This is only expected to grow, according to analysis from Gartner that found that the cloud platforms with the highest (over 20% of respondents) adoption plans in the next 12 months were cloud-managed Kubernetes and container platforms (CaaS) or aPaaS, citizen development platforms, and cloud-managed serverless function platforms (fPaaS/FaaS). “Today, if I’m going to write a new kind of customer service portal, for an insurance company, the likelihood of that not being cloud-native is very low. Because it is just more scalable and much easier to update and much more resilient,” said Rani Osnat, the VP of strategy and product marketing at Aqua Security. Cloud-native development changes the way that developers traditionally approached development with the use of CI/CD and more rapid methods of continuously updating software. This has presented some challenges since users don’t necessarily have advanced knowledge of where everything will run because it can run anywhere, according to Osnat. “You get this much more flexible environment to work in, but it also requires you to be a lot more cognizant in how you package code and deliver it compared with older kinds of waterfall SDLC or where it was a much slower
C
process,” Osnat said. Because of the difficulty in setting up Kubernetes, few companies use the vanilla Kubernetes, instead opting for more managed options. One such option is a distribution of Kubernetes that has better defaults and is more suited to certain types of applications like K3s, the lightweight Kubernetes which is used a lot in IoT. The single-node Kubernetes can also be effectively used in development and testing, according to Osnat. Moving deeper are the cloud-man-
in hand, prompting companies to put up additional security measures to work with the much more open code. “Today, in a typical cloud-native application, you’ll see that 70-80% of the codebase is open source. So you could say the cloud-native applications have a lot of reusable code. And the issue that creates is that first of all, there’s a supply chain issue where you don’t govern all the code that comes in,” Osnat said. “And the second is known vulnerabilities. So open source
Securing cloud-native applications BY JAKUB LEWKOWICZ aged offerings such as AKS, EKS, GKE, and others. “Those are basically set up for you in terms of the cluster. You don’t need to do much with configuring a master node,” Osnat said. “ A lot of the cloud developers will create on-prem versions of these. Amazon, for example, has EKS Anywhere, which is identical to EKS, but you can run it on-prem, or even another cloud if you want, at least in theory.” Even further are the platforms like OpenShift, Tanzu, where they wrap Kubernetes with additional functionality with more opinionated or preset configurations and other capabilities around it such as identity access management, and better versioning and deployment controls, Osnat explained.
Cloud-native’s dependence on open-source requires extra security Both the use of cloud-native development and open source is growing hand
has many more known vulnerabilities than custom code simply because it’s open.” Contrast Security’s 2021 State of Open-source Security Report revealed that traditional software composition analysis (SCA) approaches attempt to analyze all of the open-source code contained in applications — which translates into a huge time and resource expenditure chasing vulnerabilities that pose no risk at all. Yet, for third-party code that is invoked, the risk is inherent: The average age of a library is 2.6 years old, and applications contain an average of 34 CVEs. While working with functions, it becomes more apparent that the traditional tools that are used for security won’t suffice, according to Blake Connell, the director of product marketing at Contrast Security. “With functions, because you’re just assembling these small bits of code, all those little small bits of code are enti-
www.sdtimes.com
ties in and of themselves. So the sort of exposure is broader for security issues. And then these permissions that are part of these functions are sort of set in kind of a default way,” Connell said. “Depending on how you assemble your application, you may want to tighten down the screws a bit more on those permissions. And that’s a common challenge with the functions serverless security angle, which is this notion of overly permissive functions.”
Securing serverless architecture Also important is securing serverless architecture since serverless computing is at the forefront of the cloudnative development trend, according to Connell. According to Contrast Security's State of Serverless Application Security report, a big majority (71%) of organizations now have six or more development teams creating serverless applications. These findings are consistent with other research, such as New Relic’s Serverless Technology Semiannual report, that shows a 206% increase in average weekly invocations of serverless applications from 2019 to 2020. Connell added that the typical company is protecting its serverless applications with a disconnected set of legacy tools that no longer work that well — even for applications on traditional infrastructure.
For serverless applications, these tools are even less effective. “No-edge blindness” resulting from functions that do not have a public-facing URL gives them poor visibility into serverless architectures. The abstraction of infrastructure, network, and servers proves confusing for traditional tools and contributes to a false-positive rate that can exceed 85%, Contrast Security found. Legacy tools simply lack the context to do adequate analysis. Serverless also presents its own challenges because it’s based on ephemeral things that can happen quickly, and then disappear. So all of these require a very different set of controls, according to Osnat. As a result, organizations need a good prioritization strategy to understand which vulnerabilities are affecting the environment, Osnat explained. “You might have vulnerabilities that rely on some network connection to be exploited. But if you’re running this in a purely internal and capsulated application, it’s less adverse than an open one that’s open to the internet,” Osnat said.
The stack affects cloud-native security The third factor that affects security in cloud native is the beginning of this new stack that applications are being run on. Companies are no longer relying on an underlying server or VM to do the isolation for them. Users are also running various types of workloads. For example, if they’re running containers on a container as a service platform like AWS Fargate, or ACI on Azure, these are containers that run in a continued virtualized environment, and there is no underlying VM that one has access to. Organizations are giving developers more security responsibilities, however, there is a skill shortage in this area, and there are many more developers than security professionals. This has prompt-
November 2021
SD Times
Buyers Guide ed companies to look towards more automated solutions that can augment the way developers handle security. “We solve it by introducing a high degree of automation that enables developers to make security part of their daily work, but without expecting them or requiring them to change how they work or to become security experts. Nobody expects developers to become security experts and expects developers to set policies. The policy should be set by security. So what we do is we enable this solution that spans developers, DevOps, and security,” Osnat said. “Security has visibility into what’s going on and can prioritize issues for developers, and then have developers fix that in their code as far left as possible or as early as possible knowing full well that some things will not be fixed. We can say this needs to be remediated as soon as possible, you upgrade to this version, or you swap this package with this package or you change this configuration, and what cannot be remediated or can be maybe snoozed or remediated later, or you can have a mitigating control for it.” While there is a lot that cloud providers are doing, there is also a big area of startup development of individual vendor providers of solutions that help address security concerns, according to Lara Greden, research director for IDC’s Platform as a Service (PaaS) practice. “It’s not that organizations with their software development teams are just only making use of what the major cloud providers are providing in terms of security,” said Greden. “They’re also adding these other services that their applications are calling on the back end for services.” Another way to solve some of these security issues is through the notion of “deputizing” developers to be a part of the security effort. The days of developers flinging code over to security, having the security team running static scans, and creating a pile of potential vulnerabilities before shipping them
SD Times
November 2021
www.sdtimes.com
How does your company help cloud-native development? Rani Osnat, VP of strategy and product marketing at Aqua Security From day one, we started out focusing on containers, because that was the big technology that was pushed in the earlier days with Docker and later on with Kubernetes. Now, we support containers of various flavors, as well as serverless, VMs, and cloud infrastructure. With security, we took this approach of a full life cycle security solution because we felt that was the only way to really solve these issues. If you’re just looking at runtime, the attack surface is too big, and you’re basically chasing endless risks that you can’t really address that effectively. If you’re only focusing on shift-left and only handling developers, you’re doing what’s necessary, but it’s insufficient, because not everything is based on vulnerabilities. You have to have these multiple control points and layers. Our solution helps organizations at any scale to address the key challenges of cloud-native security across development, DevOps, cloud and security teams. Our Complete Cloud Native Security Platform has the ability to give each type of stakeholder the information and ability to control what they need. Also, Aqua’s Cloud Security Posture Management (CSPM) scans, monitors, and remediates configuration issues in public cloud accounts according to best practices and compliance standards, across AWS, Azure, Google Cloud, and Oracle Cloud. There are also additional add-ons, like vShield, that allow you to specifically detect and block vulnerabilities that you weren’t able to fix, and we have a product called Dynamic Threat Analysis (DTA), which addresses a different risk we see in the supply chain: hidden malware. To learn more about Aqua’s Cloud Native Security Platform or start a free trial of the plan that’s right for your organization, visit us online at www.aquasec.com. Blake Connell, Director of Product Marketing at Contrast Security Organizations are turning to serverless environments to help realize the full potential of DevOps/Agile development. Serverless technologies enable instant scalability, high availability, greater business agility, and improved cost efficiency. While serverless is quickly becoming a preferred approach for helping organizations accelerate the development of new applications, their existing toolsets for application security testing (AST) perpetuate inefficiencies that ultimately bottleneck release cycles. There are also some key differences that create some unique challenges: l An expanded attack surface. Serverless has more points of attack to potentially exploit. Every function, application programming interface (API), and protocol presents a potential attack vector. l A porous perimeter is harder to secure. Serverless applications have more fragmented boundaries. l Greater complexity. Permissions and access issues can be challenging and timeconsuming to manage. Contrast Serverless Application Security is designed specifically for serverless development. The complimentary, purpose-built solution for serverless AST ensures that security and development teams get the testing and protection capabilities they need without legacy inefficiencies that delay release cycles. Key benefits include: l Visibility. Gain complete security visibility across your serverless architecture. l Speed. Onboarding takes two minutes, with zero configuration and immediate results after scanning. l Frictionless. Automatically discovers any new change deployed to the tested environment, issues new tailored security tests, and validates finding in close to real-time. l Accuracy. Provides near zero false positive results with vulnerability evidence for true vulnerabilities. z
back to developers just won’t fly in today’s cloud-native world, according to Contrast Security’s Connell. Now automation finds a vulnerability, perhaps an overly permissive function, and gets that information to a developer in their environment early. Then it provides sample code and the suggested remediation. Developers can then literally copy and paste code, or modify it slightly, and then just resubmit that function. And the solution scans again, and when everything is ok and it moves on, Connell explained.
Cloud-native development is becoming more accessible and more expansive Whereas at first organizations were thinking in terms of using a private cloud for their applications by making use of technologies in their data centers, now it has increasingly moved towards computing at the edge, according to IDC’s Greden. “What we have today is edge compute, that is, in some cases, being provided by the cloud providers,” Greden said. “And that’s sent as a cloud service, but from edge locations. It’s also being accessed in terms of organizations owning their own mini data centers.” Even though there is less investment now in on-premises types of data centers or location centers, the need for compute to be close to the application for things like latency reasons has not gone away. “Now, we’re able to apply cloud-native development to those types of locations,” Greden added. Also, now more people than ever before can make use of cloud-native development through citizen development and the use of low code. “It’s really more an era of augmented application development where developers, including full-stack developers, whether they’re junior or senior, are saying that the number one attribute of the tools they use is code abstraction, as represented by low code and no code,” Greden said. “We’ve gotten to the point where vendors are able to package certain components together, not have to rewrite code, and it really contributes to code simplicity and code elegance.” z
SD Times
November 2021
www.sdtimes.com
A guide to cloud-native tooling n
FEATURED PROVIDERS n
n Aqua Security Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform provides prevention, detection, and response automation across the entire application life cycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed. Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions, and cloud VMs. n Contrast Security Contrast Security is the leader in modernized application security, embedding code analysis and attack prevention directly into software. Contrast’s patented deep security instrumentation completely disrupts traditional application security approaches with integrated, comprehensive security observability that delivers highly accurate assessment and continuous protection of an entire application portfolio. This eliminates the need for disruptive scanning, expensive infrastructure workloads, and specialized security experts. The Contrast Application Security Platform accelerates development cycles, improves efficiencies and cost, and enables rapid scale while protecting applications from known and unknown threats.
n Amazon: AWS Lambda, a serverless, event-driven compute service that lets users run code for virtually any type of application or backend service without provisioning or managing servers. Users can trigger Lambda from over 200 AWS services and software as a service (SaaS) applications, and only pay for what they use. Build serverless backends using AWS Lambda to handle web, mobile, Internet of Things (IoT), and third-party API requests. n DigitalOcean Kubernetes enables development teams both small and large to quickly take advantage of Kubernetes without the lead time required to provision, install, and operate a cluster. With its simplicity and developer-friendly interfaces, DigitalOcean Kubernetes empowers developers to launch their containerized applications into a managed, production-ready cluster without having to maintain and configure the underlying infrastructure. n IBM / Red Hat: With Red Hat OpenShift on IBM Cloud, OpenShift developers have a fast and secure way to containerize and deploy enterprise workloads in Kubernetes clusters. OpenShift clusters build on Kubernetes con-
tainer orchestration that offers consistency and flexibility in operations. Because IBM manages OpenShift Container Platform (OCP), you’ll have more time to focus on your core tasks. Protect your cluster infrastructure, isolate your compute resources, encrypt data, and ensure security compliance in your container deployments with the securityrich IBM Cloud. Includes strict Security Context Constraints for greater pod security by default. n Nutanix HCI provides a cloud-like experience in your environment across compute, networking and storage. It is easily managed, highly resilient, and scales linearly without limit, enabling you to easily meet the demands of Kubernetes and other complex distributed systems. Through strategic partnerships with Microsoft, Google Cloud, and AWS, Nutanix enables you to seamlessly extend your public cloud investment and user experience to your onprem Kubernetes environment. n Palo Alto Networks: Prisma Cloud secures infrastructure, applications, data and entitlements across the world’s largest clouds, all from a single unified solution. With a combination of cloud
service provider APIs and a unified agent framework, users gain unmatched visibility and protection. From container security to threat detection to web application and API security, security teams benefit from best-in-class protection. n Rancher Labs: Rancher is a complete software stack for teams adopting containers. It addresses the operational and security challenges of managing multiple Kubernetes clusters, while providing DevOps teams with integrated tools for running containerized workloads. When Rancher is used alongside K3s, organizations are equipped with a simple yet complete solution to run Kubernetes at the edge. K3s simplifies deployment at the edge and enables users with the ability to quickly launch thousands of clusters. Rancher helps K3s users manage the high volume of clusters with Rancher Continuous Delivery which gives users a controller that allows them to efficiently manage Kubernetes at the edge. n Stackery provides operational tools for developers building serverless applications. Easily detect and surface application errors, version control your serverless infrastructure, and securely manage configurations and deployments. Stackery helps developers build production-grade serverless applications by providing an abstraction layer on top of base serverless technologies like AWS Lambda. Stackery allows you to focus on your business logic rather than configuring infrastructure services. n VMware: offers vSphere, which enables users to manage complex, modern apps as easily as traditional apps and VMs on infrastructure that supports container-based application development. Rearchitected with native Kubernetes, you can now modernize the 70+ million workloads running on vSphere. And now, you can run modern, containerized applications alongside existing enterprise applications on existing infrastructure with vSphere with Tanzu. z
O Ik _ c k
c _ | _ A c c [ [ A 1 k 1 O I c q _ 1 k #S F B L U I S P V H I "Q Q M J D B U J P O 4F D V S J U Z G P S 4F S W F S M F T T & O W J S P O NF O U T
$P OU S BT U 4F S W F S M F T T "QQM J D B U J PO 4F D VS J U Z J T Q V S Q P T F C V J M U B T Q B S U P G B V O J m F E T F D V S J U Z Q M B U G P S N P G G F S J O H C V J M U U P H F U T F D V S F D P E F NP W J O H U I S P V H I U I F F O U J S F E F W F M P Q NF O U Q J Q F M J O F B O E D P O U J O V P V T M Z Q S P U F D U B D S P T T U I F D P NQ M F U F T P G U XB S F M J G F D Z D M F $P O U S B T U T E F W F M P Q F S G S J F O E M Z B Q Q S P B D I U P T F S W F S M F T T B Q Q M J D B U J P O T F D V S J U Z U F T U J O H J O D M V E F T Q J Q F M J O F O B U J W F B V U P O P NZ B O E B V U P NB U J P O 0S H B O J [ B U J P O T H B J O D P NQ M F U F T F D V S J U Z W J T J C J M J U Z G P S " 84 B NC E B G V O D U J P O T XJ U I O F B S [ F S P G B M T F Q P T J U J W F T 6T F $P O U S B T U 4F S W F S M F T T U P B D I J F W F $P NQ S F I F O T J W F P C T F S W B C J M J U Z "V U P NB U F E B Q Q M J D B U J P O T F D V S J U Z 4F B NM F T T S B Q J E E F Q M P Z NF O U B O E NB O B H F NF O U
7J T J U D P O U S B T U T F D V S J U Z D P N T F S W F S M F T T U P M F B S O NP S F