In the last few years, a rapid industry-wide swing toward automation and virtualization of application infrastructure in cloud and containerized environments has exposed a need to expand the DevOps processes to include security operations in the cyclic workflows of the CI/CD pipeline. In many organizations, responding to this need has taken the form of a new conceptual approach to development. This discipline – dubbed DevSecOps – integrates security into shared responsibility and shifts many security operations earlier – or left – in the development lifecycle to stay ahead of the vulnerability bottlenecks that increasingly decentralized environments introduce.
The shift-left approach of DevSecOps reorients security operations from a reactive posture – responding to threats only after potential attacks have occurred – to an ongoing proactive practice of building security into software design and anticipating vulnerabilities before they are exploited. In addition to traditional security perimeter tools, the DevSecOps toolkit includes multiple
continuously applied technologies such as:
- Runtime Application Self-Protection (RASP)
- Web Application Firewalls (WAFs)
- Container Image Scanning Tools
The desired combined effect of these practices is to monitor applications in real-time for anomalies and to configure cloud architecture components such as containers against known vulnerabilities and attack vectors.
Limitations of Shift-Left Security in Multi-Cloud Containerized Environments
Shift-left security has significantly improved upon outdated perimeter-based reactive approaches. Nevertheless, current data on the lag of effective cloud management and design behind fast-growing cloud use suggests that even a hard left shift leaves organizations unprepared for certain inevitabilities of multi-cloud environments.
1. Proliferating Cloud Vulnerabilities
Successfully mitigating vulnerabilities in cloud services – by scanning container images and configuring WAFs – depends largely on the security industry’s ability to maintain an edge on the exposure of new vulnerabilities. However, current trends indicate a broadening gap. In the last five years, known cloud vulnerabilities have increased 150%, with year-over growth rising every year.
2. Misconfigurations
With 89% of organizations employing multi-cloud strategies – 80% of which involve hybrids of public and private clouds – secure configuration in cloud environments has become an ever steeper slope to climb. Presently, 80% of data breaches trace back to manual misconfigurations and oversights in cloud setups and – based on current trajectories – human error will continue to account for 99% of cloud environment failures through 2025.
3. Insider Threats
While anticipating all vulnerabilities and misconfigurations in advance may be an unrealistic goal in practice, the constraints on doing so are merely time and resources. In contrast, even theoretically optimal proactive measures cannot account for risks introduced by human activity. With a booming market for cloud credentials – remote desktop protocols (RDPs) in particular – now thriving on the dark web, 60% of successful cloud attacks now originate with malicious insider action, a variable no amount of built-in security can constrain.
4. Supply Chain attacks
We leverage open source and third-party components throughout our cloud native development, and unfortunately they are not immune to compromise. Furthermore, threat actors have used random wait periods between 10-14 days to avoid detection in QA cycles to 'make it' into production. How can we tell when our third-party libraries and components begin acting suspicious, and how do we trace back malware to a package installation from weeks ago?
5. Zero-Day Attacks
We all remember the Log4j Zero-day. Each year there seems to be a large zero-day vulnerability that must be immediately addressed, with countless others impacting both commercial and open source components. As the name implies, zero-day attacks are immune to vulnerability scanning until the vulnerability is disclosed and a patch becomes available.
Runtime Security Throughout the Software Development Lifecycle
When preventative measures fail, the only conceivable alternative for securing environments is monitoring at runtime to intercept attacks live as they happen. While traditional security tools lack the capacity for keeping up with cloud native visibility – even in undistributed environments – that live intervention requires, Spyderbat offers DevSecOps unprecedented granular monitoring of all activities within and across cloud and container workloads, regardless of architectural complexity. Using eBPF to record activities at the Linux kernel level – Spyderbat’s ability to secure runtime environments does not depend on code changes, advanced configurations or interpretation of esoteric log messages. Rather, Spyderbat notifies analysts/operators to chains suspicious activities as they unfold, with automated actions to mitigate threats such as Zero-Days, supply chain compromise, misconfigurations, and insider threats.
To experience right-shifted runtime security, start a free trial of Spyderbat today.