A Roadmap to Modern Application Security

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Chrystal Taylor of SolarWinds sets the pinpoints on the roadmap and hits the road to modern application security.

It’s been more than ten years since renowned Silicon Valley venture capitalist Marc Andreeson wrote, “Software is eating the world.” It was an easy statement to make at the time. Microsoft had just announced its plan to acquire Skype in an $8.5 billion deal, and earlier that year, IBM Watson beat now-host and all-time Jeopardy! Champion Ken Jennings.

The software industry’s evolution in the years since Andreeson’s statement has been nothing short of remarkable. Monolithic software hosted on an on-premises server gave way to user-friendly, flexible, and scalable modern applications. These modern applications, which can be built and deployed quickly, have provided companies with a road to digital transformation by enabling employees to be more innovative, efficient, and productive. At the same time, several trade-offs have been related to using modern development processes like microservices, containers, and Kubernetes to build applications. Two of the primary trade-offs are complexity and security.

The attack surface increases with modern applications, often decentralized across multiple platforms, environments, and infrastructures. These complex, hybrid, and multi-cloud application environments are also difficult to visualize. If you don’t know where an issue is coming from or what’s causing abnormal activity, it’s much harder to address. Another potential area of concern is using open-source code in modern applications. Open-source code is used in nearly every modern application. A report earlier this year found “at least one known open-source vulnerability” in 84 percent of commercial code bases.

The Roadmap to Application Security

The solution to this problem is, of course, not to go back to monolithic legacy software. Instead, the industry needs solutions designed to allow us to embrace modern application development in a way capable of ensuring our security. This is possible by building in security testing earlier in the development process, being transparent to customers and the industry about the components and dependencies in each application, and increasing visibility within the application environment.

These three steps can put organizations on the path to secure modern applications:

1. Build security in with the shift left. Picture you’re an engineer building a car. Before you devote time to this process, you want to test and approve each piece to ensure the vehicle operates safely. This same process should occur in application development through what’s known as the “shift left.” The shift left can improve the development process by embedding security measures earlier. This helps DevOps teams identify vulnerabilities as the application they’re building is being developed. Traditionally, security checks occur after the build is complete in what’s known as the testing phase. If an issue arises during this phase, DevOps teams must work quickly to identify and fix the problem, ultimately slowing down the process and inhibiting a thorough application review. DevOps teams can speed up the process by prioritizing security in the build process and delivering safe, reliable products. Just as you don’t want to get on the road with a faulty steering wheel, you want to ensure each piece of your application runs properly and safely.
2. Be transparent by utilizing a software bill of materials. In an age of unforeseeable cyber-attacks by committed nation-state bad actors using novel and sophisticated techniques, the industry needs information sharing more than ever. Being transparent about vulnerabilities and threats is critical to helping ensure the security of our shared cyberinfrastructure. Many positive efforts underway by CISA and other government agencies have been instrumental in enhancing information sharing and collaboration to raise cyber threat awareness, but there’s more work to do. This is why application developers should embrace a similar level of transparency by clearly communicating what goes into their products. This can be done with a software bill of materials (SBOM), essentially an ingredient list for each component of an application. At SolarWinds, we’ve been proud to help lead the industry in calling to make SBOMs a new standard to make the industry more secure. An SBOM is a list of all the components and dependencies comprising a particular software application. Its purpose is to provide transparency and visibility into the software supply chain, which helps developers identify and address vulnerabilities. In turn, SBOMs allow organizations to respond more quickly to security threats. For example, when a new vulnerability is discovered in an open-source library, an SBOM can help identify which applications are affected so teams can take steps to mitigate the risk. This can help organizations avoid costly and time-consuming security breaches by assisting developers to identify points of concern and major and minor issues and predict the final product’s functionality.
3. Increase visibility into complex IT environments through observability. Returning to our car analogy, imagine you’ve just finished manufacturing a new car that’s safe and ready to be driven. After a while, regardless of the tests that have been run, the car will inevitably need maintenance, and the check engine light turns on. For most of us, this means bringing the car to a mechanic, who will run a series of diagnostic tests to confirm the problem, tell you how it can be fixed, and how much it will cost. This is a time-consuming and inefficient process. Instead, imagine you had a check engine light designed to tell you what the problem was and provide step-by-step instructions on how to fix it. This increased visibility and the recommended remediation steps are also needed for modern IT environments, and this is where observability comes in. Observability can play a crucial role in application development and security by providing real-time visibility to help detect and remediate security issues. By reducing the Mean Time to Detect (MTTD) security issues, observability can help ensure custom web applications’ security and user satisfaction. By monitoring an application in real-time, teams can identify potential security issues before they become significant problems and quickly take corrective action.

Why It Matters

Modern applications are user-friendly, flexible, and scalable. This enables companies to undergo digital transformation and improve productivity, but the complexity of modern applications and the use of open-source code threaten their security. To help ensure the security of modern applications, organizations must adopt a proactive approach by embedding security measures earlier in the development process, utilizing SBOMs to provide transparency, and increasing visibility through observability. By doing so, organizations can build secure and optimized applications while maintaining the speed and innovation of modern development.