New Methods, New Vulnerabilities
Computer security used to mean putting the computer in a locked room. All too often that mentality persists amongst those responsible for delivering applications: security is someone else’s problem. As compute resources become increasingly detached from actual hardware this attitude tragically opens up many new security risks. However the move to virtualize, containerize and manage infrastructure as code doesn’t have to open up new vulnerabilities with the new methods.
Chasing Optimal
When VMWare introduced the ability to create multiple virtual x86 servers on a single hardware server it transformed server utilization, leaping from a mere 5% to 50%. Put another way, companies needed to buy ten-times less equipment to achieve the same results. That was a generational change that swept through the industry as it did not require any significant refactoring of how workload is built or deployed, but offered massive economic benefits.
The next generational change is underway with the broad adoption of containers and their orchestration as a gateway to cloud migration. Cloud and containers are seen as fundamentals to digital transformation which remains a priority for CIOs. Containers are the next step towards dissociating software execution from the hardware and operating systems on which it runs. Container orchestration takes the next step by putting software workload migration between not just servers but entire hosting options under software control. Not only do containers and orchestration continue the path of optimizing hardware resources, but they optimize the path to deployment.
Aiming for Agile
While cost reduction through resource optimization is a major factor in virtualization, another important aspect is agility. Over 70% of US organizations claim to have adopted agile, and not just in software development. Agile was originally developed as a method for delivering small, timely, useful, and above all functional software releases instead of the traditional approach of large, infrequent and generally buggy releases. Long-term research shows that just 11% of large software projects were considered successful, in sharp contrast to 61% of small projects. The small, frequent releases concept is designed to ensure always relevant, always working software. The principle is sound and is being hungrily applied to other disciplined.
Agile marketing and even finance are important steps towards building responsive, resilient businesses. Agility is essential for maintaining competitive and since agile, inflexible IT systems — both hardware and software — are often limiting factors. Cloud removes the need for ordering up and waiting for delivery of server and storage capacity. Containers dramatically cuts the time and effort required for deployment of additional applications or instances of applications, creating a form of agile operations.
Open for Business
While hardware has been migrating from the computer cupboard to the cloud, software development has also moved to a different model. Rather than coding everything from scratch, most projects seek out useful open-source components and integrate them into an overall package. This is a huge accelerator for building software, and at least theoretically improves quality as the components are tried, tested and fixed by the community.
Unfortunately some of these components have vulnerabilities in them, with the weakness discovered in the widely used Log4j package being only one prominent example. Some components even deliberately contain malware, for example the firmware used in many surveillance cameras contains back doors to which they are connected.
Clearly the advantage of being able to use substantial, reliable building blocks to reduce development time is critical to responsiveness and resilience. Tools and methods are available to scan for open-source packages in use and assess their risk, however this needs to be added to development and deployment pipelines. This requires skills, investment, basic awareness and constant updating. Unfortunately all these are in short supply, while use of open-source continues to explode in all areas including enterprise IT.
Responsiveness and Risk
Racing driver Mario Andretti famously said “If everything seems under control, you’re just not going fast enough,” a sentiment that many investors and influencers push. However speed comes with risks, and the risks of a bad software deployment are considerable. Some rushed releases simply don’t work, resulting in lost revenue and employees unable to work. Some can literally destroy companies.
And some leave open major vulnerabilities, resulting in loss of sensitive customer data, ransomware and other debilitating cyberattacks. Even when attacks don’t result in loss, there is significant cost in dealing with them.
IT needs to balance speed and safety. Security concerns must be respected yet cannot be allowed to slow down the business. Constantly evolving threat profiles need to be monitored and protected against, yet this mustn’t detract from the ability to keep software fresh. Further, specialist knowledge and skills are required to make this happen. How can this be achieved?
Automating Protection
Everyone should be familiar with the need for antivirus scanning our computers, something that just runs in the background and provides real-time protection against malware, however prevention is better than cure: identifying a method of preventing errors and weaknesses before they are problematic is infinitely better.
Software developers can run static checks on their code with tools that spot bugs, vulnerabilities and inefficiencies. While these have been around for a long time — for example the UNIX lint program for checking C language code dates from 1978 — recently their use has grown, resulting in steady reduction in errors. Bill Gates emphasised the importance of building trustworthy code in 2002, of which static code checking was part. Including static code analysis tools in pipelines is current best practice, with environments such as Microsoft Azure and AWS offering their own tools.
These static code analysis tools are, however, limited to the source code for the applications being deployed, and do not cover the environment in which the applications run. We urgently need an equivalent technology that can scan the configuration of development pipelines, containers, development artefacts, and all the configurations that can automate protection across content, options and systems. Just like vulnerability checkers, this technology will be automatically updated to reflect new threats and new configuration options. Current application security products do not do this as the risk bridges application code, application management, cloud hosting configuration options.
Thankfully such a product now exists: CoGuard. Designed to drop into development workflows and a wide range of pipeline tools, CoGuard addresses the following security issues:
Problem Misconfigured cloud landing zone configurations
Solution CoGuard checks how cloud landing zones are configured to ensure that all the configuration options are set correctly
Benefit Eliminates vulnerabilities and ensures compliance with corporate standards by automatically apply best practices to each deployment
Problem Misconfigured networks
Solution CoGuard checks all the numerous network configuration options for security vulnerabilities in networking
Benefit Eliminates vulnerabilities and ensures compliance with corporate standards by automatically applying the appropriate, strong network security settings
Problem Misconfigured containers and container templates
Solution CoGuard checks the container setup, as well as included application level configuration files. In addition, it checks the configurations within the infrastructure context
Benefit Ensuring defence in depth from container to application layer
Problem IaC tool configurations contain weaknesses and errors
Solution CoGuard supports a variety of IaC tools, including TerraForm, CloudFormation, Chef, and Azure Resource manager. Furthermore, assistance with migration to IaC approach
Benefit Works with existing setups and technology stacks, and helps move to a predictable coded infrastructure setup
Problem Databases with weak security settings
Solution CoGuard not only checks the network connection of databases, but also internal configurations for authentication, authorization, high availability, and all common security benchmarks
Benefit Puts in place extra layers of protection so that even if a database accidentally becomes accessible to a malicious player on the network it remains protected. High availability and data consistency configurations are also checked for conformance to best practices
Problem Incorrectly configured event streaming platforms
Solution CoGuard checks configurations and is aware of different defaults for streaming services such as Kafka on different cloud providers
Benefit Data in transit is protected, and applications benefit from a high performing and maximally available message streaming platform
Problem Misconfigured Web Servers and CDNs
Solution CoGuard ensures that web servers and CDNs have all guards in place to prevent common attack vectors such as clickjacking, iframe attacks, domain spoofing, and path traversal
Benefit Correct configurations and content serving policies are set, independent of content type
In addition to offering comprehensive checking of all configuration files in a deployment, CoGuard has a dashboard that tracks current security status.
These analytics allow IT and service delivery management to check the maturity and security of their deployment configuration. These reports highlight areas that particularly need attention, and include recommendations for best practices to address the vulnerabilities that have been identified.
Summary: Static Analysis for Config Files
The technology industry has made huge leaps forward in delivering software applications faster and better, with more frequent updates, supporting business responsiveness and resilience. As the models have changed, security gaps have opened up, both in personnel and in technology. These gaps cannot be allowed to become cybersecurity vulnerabilities, and new security tools must be used to automatically protect against this happening.
CoGuard is in a new category of security tools, bridging cloud configuration, software contents and containers. It offers full static analysis capabilities for configuration files which have, effectively, become the code that defines complete infrastructure. Adding CoGuard to development and deployment pipelines will ensure that these config files are treated with the same vulnerability and error checking as the application code that they support. Security can now operate at the same heightened cadence as development, putting the last piece in the jigsaw of rapid software development.
