What AppSec and developers working in cloud-native environments need to know

All enterprise organizations are, in essence, software publishers, regardless of their industry. This is because every enterprise relies on custom software applications for managing internal processes, interacting with customers, or analyzing data, making them creators and distributors of software to deliver their services effectively and competitively.

Application security (AppSec), a strategic segment of the broad spectrum of information security, is an ever-evolving discipline that focuses on ensuring the security, integrity, and robustness of software applications. However, to really grasp the depth and scope of application security, it’s crucial to define the term ‘application’.

Applications and the advent of IaaS and PaaS

The concept of an application took on new dimensions with the advent of Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings. Before their introduction, applications were largely on-premises solutions, reliant on physical hardware and in-house software. The shift to cloud computing brought an end to this era, ushering in a new age of virtualized, scalable, and on-demand services.

IaaS and PaaS offerings redefined applications by abstracting the physical infrastructure and middleware layers. IaaS provides the virtualized hardware — compute, storage, and network resources — on which software applications run. On the other hand, PaaS delivers the runtime environment for developing, testing, and managing applications.

This shift made it possible for businesses to focus more on creating value through application development, rather than getting caught in the complexities of maintaining infrastructure. It also transformed how we define applications, shifting the focus from the physical resources and architecture supporting the app to the functionality and value the app delivers.

Evolving public cloud infrastructure

Public cloud infrastructure brought forth another significant shift, redefining the boundaries between applications and infrastructure. In the public cloud, applications and their underlying infrastructure are less distinguishable and more interconnected than ever before. Applications are increasingly constructed from small, distributed components, each with its own infrastructure — further blurring the line between them.

The advent of public cloud platforms, such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform, has greatly influenced the design, deployment, and management of applications.

In this environment, an application can be composed of many microservices, each running on separate containers or serverless platforms. This change has led to the term “cloud-native applications”, where applications are specifically designed for a cloud computing architecture, leveraging its benefits of scalability, resilience, and agility.

Defining an application

In the simplest terms, an application or “app” is a type of software designed to perform specific tasks or functions for users. From a technical perspective, an application could be a single line of script, a suite of services in a microservices architecture, or anything in-between. It encapsulates business logic, user interfaces, and data access, working within an operating system’s guidelines to deliver a user-friendly interaction.

However, in the business world, an application transcends mere software. It becomes a tool that drives process efficiency, enhances customer experience, facilitates data gathering, and generates insights for informed decision-making. It may incorporate various technologies and interfaces – both physical and digital – to provide a seamless user experience, enhancing an organization’s ability to meet its strategic objectives.

This multifaceted nature of modern applications introduces a myriad of security challenges.

As applications evolve from monolithic architectures to decentralized microservices, and as they integrate a broad spectrum of interfaces and technologies, the attack surface expands exponentially. Every component, interface, and line of code becomes a potential point of vulnerability. The dynamic nature of cloud-based services, often spanning across different providers and regions, further complicates the security landscape. It’s no longer just about securing standalone software but about ensuring the safety of an entire ecosystem that the application interacts with.

Additionally, the continuous integration and continuous delivery (CI/CD) processes that drive modern software development accelerate the pace at which applications are updated and deployed. While this agility benefits businesses by quickly delivering features and fixes to the end users, it also means security protocols need to be equally agile. Traditional security measures, which often rely on periodic reviews and audits, may not be sufficient in this fast-paced environment. Thus, the task of securing an application in today’s world demands a proactive, holistic, and adaptive approach. Cybersecurity professionals need to rethink and retool their strategies, ensuring that security is embedded at every stage of the application’s lifecycle, from design to deployment to decommissioning.

To thoroughly comprehend the term “application” in the contemporary cloud-first world, we must scrutinize it at several levels: as a software program, as a functional unit in a business setting, and as a blend of code and infrastructure in the modern IaaS, PaaS, and IaC context.

Application as a software program

Technically, an application refers to a software program designed to help users perform specific tasks. It is a self-contained, bundled package of coded instructions written in a programming language, with associated libraries and dependencies that instruct a computer to perform a designated set of actions. Examples range from desktop applications like Microsoft Word, to mobile applications like Instagram, to web applications like Google Docs.

An application is distinct from the operating system and the hardware — it uses the system’s resources, coordinated by the operating system, to execute its tasks. Yet, the application’s code alone doesn’t encapsulate everything that the app is: it relies on interfaces, protocols, and data structures that allow it to interact with users, the operating system, and other applications.

Application as a functional unit

In the context of a business or organization, an application takes on an additional functional meaning. It’s not just a program, but a tool for enabling business processes, improving productivity, interacting with customers, or analyzing data. This perspective brings in elements like user interfaces (UI), user experiences (UX), data management, and integrations with other software or services.

For instance, a customer relationship management (CRM) application not only involves the underlying software code, but also the database of customer information it manages, the interfaces salespeople use, the analytics it provides, and the connections it has to other systems like email or billing software.

Application in the cloud era

With the emergence of IaaS, PaaS, and IaaS models, the definition of an application extends to include the associated runtime environment and the underlying infrastructure. Applications are now not just bundles of code, but holistic systems that include the virtualized hardware resources, operating systems, databases, and network configurations they rely on.

The advent of microservices and containerization, where an application can consist of many independently deployable components each running in its own environment, further complexifies this definition. In a cloud-native application, each microservice with its code, dependencies, and environment could be considered an “application” in its own right.

The introduction of Infrastructure as Code (IaC) has further complicated the definition of applications. IaC is the practice of managing and provisioning infrastructure through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.

Under this paradigm, infrastructure — traditionally considered a static, seldom modified aspect — becomes dynamic and malleable, almost an extension of the application itself. Applications and their infrastructure become closely intertwined, evolving in tandem with each other.

With IaC, the definition of an application extends to include the underlying infrastructure that it operates upon. The application’s code not only includes the business logic but also the definitions of the resources it requires to run efficiently. The application becomes responsible for its environment, and the environment becomes an integral part of the application.

The security challenge of modern applications and their blurred boundaries

These rapid advancements in cloud infrastructure and software development practices combined have redefined application boundaries in three primary dimensions: horizontal, vertical, and the overlap between code and console. These changes pose novel security challenges that demand new thinking and strategies.

1. Horizontal challenges in the cloud-native era

In the cloud-native era, instead of a standalone, monolithic structure, an application is often a composition of multiple services. Each service represents a piece in the application puzzle, interacting with others to form the entire application.

Such an interconnected environment presents several security challenges:

• Ownership: With services coming from different sources, determining responsibility becomes difficult.
• Authorization: Multi-service structures require intricate access controls.
• Compatibility: Ensuring that all services interact securely without risk.
• Dependencies: Each service may rely on multiple others, creating multiple points of failure.
• This shift towards a decentralized, microservices-oriented structure has broadened the attack surface, making it crucial to consider each service as a potential point of vulnerability.

2. Vertical integration: From IaaS to PaaS to application

The journey from on-premises software to cloud solutions has seen applications transition from being merely software programs to becoming deeply integrated with their underlying infrastructure. Today, applications don’t merely sit atop IaaS or PaaS solutions; they are intertwined with them.

IaaS provides the virtualized hardware layer, while PaaS delivers the application runtime environment. This vertical integration has blurred the lines between the application and its supporting layers. Security professionals must now ensure that the entire stack – from infrastructure to application – is secure.

3. Code vs. console: Beyond traditional software

Historically, an application was viewed as the code that made it function. Now, with the rise of IaC, the definition of an application extends beyond traditional software code. IaC ensures that infrastructure provisioning is as malleable as the application itself, with both evolving in tandem.

In the IaC paradigm, infrastructure becomes part of the application, with the application’s definition encompassing both its traditional code and the infrastructure on which it runs. This merging of code and console necessitates that security measures consider both software and its operational environment.

Implications for application security

The above dimensional shifts have transformed AppSec. As boundaries blur, security can’t be an afterthought; it needs to be an integrated part of the entire application lifecycle. CI/CD practices further emphasize the need for agile security protocols.

To navigate this new landscape, cybersecurity professionals must:

• Adopt a holistic approach that views applications as comprehensive systems, not just code.
• Ensure proactive security measures, covering both code and infrastructure.
• Continuously evolve and adapt, aligning security practices with the latest in application and infrastructure development.

Conclusion

As a result of these shifts, the definition of an application in today’s digital landscape is far from straightforward. The evolution from on-premises to IaaS and PaaS, the introduction of public cloud infrastructure, and the advent of IaC have all challenged and expanded our understanding of what an application is.

From an application security perspective, this evolving definition presents new challenges and opportunities. As the line between applications and infrastructure blurs, security teams must consider the application in its entirety — encompassing both the application code and the infrastructure code.

However, it also provides the opportunity to integrate security earlier in the development cycle, enabling more secure applications by design. As the landscape continues to change, security professionals must continually adapt and evolve, embracing new definitions and approaches to ensure the security and integrity of applications.

Source: https://www.helpnetsecurity.com/2023/09/20/software-applications-appsec-developers-cloud-native-environments/