Reliability -- especially for APIs -- is growing because our reliance on APIs is growing, while at the same time how we develop software has changed. Modern software stacks are written as a collection of microservices, with each service written in a type-safe language that better guards against low-hanging vulnerabilities. However, it also makes reasoning about how all the services may interact harder and harder. We expect appsec teams to increasingly orient to checking availability, especially on how malicious requests between APIs and microservices may bring down the overall application and business.
You can’t have a secure product if an attacker can make it unreliable. While security has always included the CIA triangle -- confidentiality, integrity, and availability -- security teams have focused most of their effort on the first two. We expect this to change in 2021, with analysts predicting the API testing market to grow to $5.1 billion by 2023. -- Dr. David Brumley, co-founder, and CEO, ForAllSecure
The benefits of Infrastructure as Code (IaC) are huge and have accelerated the way we do business by increasing innovation through greater productivity. IaC is a technique that truly embodies the DevOps philosophy.
That said, to date, the security side of IaC has been lacking, if not entirely overlooked. We hear about “shifting security left” but realistically, a true DevSecOps model has not been prioritized, and while many embrace the strategy, many fewer really know how to make the organizational changes to fully realize it.
This can leave organizations pursuing IaC for innovation and productivity open themselves up to more cyber risk than they realize, and, in turn, that risk could lead to a large-scale attack. Let’s face it. Because IaC can have a huge impact, given the power of the automation behind it, bugs in code—and IaC configuration files in this case—happen, and can also have an outsized impact.
Those unidentified or subtle bugs often occur when things are assembled from multiple developers or operations teams. Your CI/CD pipeline constructing the pieces of that puzzle can create infrastructure containing potentially exploitable misconfigurations or vulnerabilities. These issues will manifest in the gaps where nobody is looking, in the one piece that is missing, or in the one piece that doesn’t fit well with the others. Individual pieces of IaC may pass security tests, but the assembly of all those pieces may not. Naturally, the repercussions are vast.
This will mean a true shift left: both demanding more of a CI/CD focus from security teams and insistence that security considerations become a real part of the CI/CD pipeline. We’ll also see a greater focus on tools that let developers see and fix configuration issues directly in code. --PJ Kirner, co-founder and CTO, Illumio
Brands will have to ensure that processes are managed properly across disparate systems and that data -- and especially content -- is secure end-to-end. Enterprises will add integration considerations to every RFP and products that don't integrate will lose to products that do this well. -- Nishant Patel, co-founder, and CTO, Contentstack
Address:
3003 East Chestnut Expy
STE# 575
Springfield, Mo 65802
Phone: 1-844-277-3386
Fax:417-429-2935
E-Mail: contact@appdevelopermagazine.com