Check Point® Software Technologies Ltd. announced its position as a leader in The Forrester Wave™: Enterprise Firewalls, Q4 2024 report.
TechTarget's Enterprise Strategy Group (ESG) recently surveyed 350 IT and cybersecurity professionals and application developers to create a report called Modernizing Application Security to Scale for Cloud-Native Development. The survey results and analysis offer insights into the strategies, tools, and investments security and development teams are leveraging to address modern AppSec. It also generated some compelling data related to AppSec teams' challenges in the face of a rapidly changing development environment.
When asked to identify their top challenges for AppSec teams supporting cloud-native dev processes, "understanding developer environments and assets to effectively manage security" was one of the top three responses provided. With the explosion of innovations like APIs, multi-cloud deployments, containers, and AI-generated code, the attack surface has grown exponentially in recent years, and security teams are struggling to achieve the visibility and context required to effectively mitigate risk.
More evidence of the struggle to keep up with changing development practices emerged in the survey responses about the speed of development and infrastructure as code.
Speed of Development
Software development cycles today run at a lightning-fast pace and often leave security teams struggling to keep up. When asked about the security challenges with faster development cycles, survey respondents cited the following three areas as their top challenges:
■ Prioritizing needed remediation based on business criticality, reachability, or exploitability (35%)
■ Security lacks visibility and control in development processes (34%)
■ Software is released without going through security checks and/or testing (34%)
With the intense pace of development, chasing down each and every vulnerability becomes unfeasible – it is therefore not surprising to see prioritizing remediation top the list of challenges. Security teams can't afford to spend time, money, and effort fixing something that doesn't actually represent real risk to the organization.
What's missing is contextual prioritization of the overall development environment in order to select which vulnerabilities to fix first based on the impact to the business. Security teams should aim to shift the focus to overall product security rather than creating silos for cloud security, application security, and other components of the software supply chain. They should also seek out a clear view of the full software factory, its assets, its owners, its security controls, its vulnerabilities, and how all are related.
Increasing IaC Misconfigurations
With the software development factory becoming increasingly complex and automated, there are increasing opportunities for misconfigurations to create risk, and AppSec teams are struggling to manage that increase.
For example, the misconfiguration of build servers is a common problem that creates significant vulnerabilities. Build systems are essentially automated, implicitly trusted pathways straight to the cloud, yet most aren't treated as critical from a security perspective. In many cases, these systems, like Jenkins, for example, are misconfigured or otherwise vulnerable and unpatched.
Another increasingly common risk is infrastructure as code (IaC) misconfigurations.
Infrastructure as code use is exploding as developers look for ways to move faster. With IaC, developers can provision their own infrastructure without waiting for IT or operations. However, with increased use comes increased chance of misconfigurations. In fact, 67% of survey respondents noted that they are experiencing an increase in IaC template misconfigurations. These misconfigurations are especially dangerous because one flaw can proliferate easily and widely.
Examples of these misconfigurations include:
■ Not using the latest version of TLS
■ Relying on username/passwords instead of SSH keys
■ Creating cloud assets with excessive permissions, i.e., S3 buckets with read/write permissions
Development tool misconfigurations often stem from privileges issues. Many tools are over-privileged because they're easier to integrate if users have full access. To avoid this in IaC, security teams should pay special attention to access controls in IaC definitions:
■ Determine what users need to do, then craft policies allowing them to perform only those tasks.
■ Do not allow all users full administrative privileges.
■ Start with a minimum set of permissions and grant additional permissions as necessary.
Context and Clarity
It's clear that modern software security requires better context and more clarity. With the speed and complexity of development environments, security teams need visibility that allows them to make sense of the complexity and move at the speed of development, but current application security tools are falling short.
With different application security tools scanning code in different ways across the development lifecycle, most AppSec tools generate a lot of results without a lot of context. Without contextual risk ranking among applications and vulnerabilities, either "everything" is a priority, or "nothing" is a priority.
Additionally, AppSec teams need the kind of visibility that is standard for endpoint and network protection — where security teams collect a complete list of assets and a map of the environment to know what needs to be protected and where proper controls should be put in place.
For example, creating an automated SDLC asset inventory for development pipelines allows security teams to apply security policies to that inventory and check for risky violations — quickly and accurately. Threat modeling will then allow the team to identify risky implementations before starting development.
Industry News
Sonar announced two new product capabilities for today’s AI-driven software development ecosystem.
Redgate announced a wide range of product updates supporting multiple database management systems (DBMS) across its entire portfolio, designed to support IT professionals grappling with today’s complex database landscape.
Elastic announced support for Google Cloud’s Vertex AI platform in the Elasticsearch Open Inference API and Playground.
SmartBear has integrated the load testing engine of LoadNinja into its automated testing tool, TestComplete.
Check Point® Software Technologies Ltd. announced the completion of its acquisition of Cyberint Technologies Ltd., a highly innovative provider of external risk management solutions.
Lucid Software announced a robust set of new capabilities aimed at elevating agile workflows for both team-level and program-level planning.
Perforce Software announced the Hadoop Service Bundle, a new professional services and support offering from OpenLogic by Perforce.
CyberArk announced the successful completion of its acquisition of Venafi, a provider of machine identity management, from Thoma Bravo.
Inflectra announced the launch of its AI-powered SpiraApps.
The former Synopsys Software Integrity Group has rebranded as Black Duck® Software, a newly independent application security company.
Check Point® Software Technologies Ltd. announced that it has been recognized as a Visionary in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms.
Harness expanded its strategic partnership with Google Cloud, focusing on new integrations leveraging generative AI technologies.
OKX announced the launch of OKX OS, an onchain infrastructure suite.