A decade ago, Silicon Valley venture capitalist Marc Andreeson famously declared that “software is eating the world.”
A bold statement at the time. But it has since become clear that Andreeson was right. Software is now ubiquitous – and it touches nearly every aspect of our lives.
Today’s shift to software has had a profound impact on the way we develop and deploy applications. In the past, apps were typically monolithic, all-in-one solutions that were hosted on-premises. Thankfully, these traditional approaches have largely been left behind.
Now, we’re in an era of user-friendly, flexible, and scalable applications that can be deployed at speed. This enables businesses to undergo digital transformation and allows employees to be more innovative, efficient, and productive.
While organisations across industries are welcoming this new-found agility with open arms, it’s not all smooth sailing.
The challenges of securing modern applications
Modern applications are often made up of multiple microservices, each of which is responsible for a specific function. Typically, they are decentralized across multiple platforms.
However, this can create a challenge for users in comprehending and visualisng the complete application. Moreover, the deployment of containers has the potential to complicate the security landscape, given that containers might unintentionally be relocated to less secure environments in a matter of seconds.
The nature of these complex and spread-out modern applications not only increases the attack surface but also reduces visibility – which causes issues of its own. Microservices are more secure than a monolithic environment, but if attackers can compromise a single microservice, they may still be able to gain access to the entire application. If these security incidents can’t be seen, it is nearly impossible to identify, respond to, and even prevent them.
Then there’s the challenges brought by open-source. Used in nearly every modern application, open-source code can be a valuable resource for developers. But research has found that in 84% of commercial code bases, there is at least one vulnerability. And one vulnerability is all that an attacker needs to wreak havoc.
The security challenges of modern applications are real, but they are not insurmountable. Instead of returning to monolithic legacy software, organisations can embrace modern application development while ensuring security by taking three steps:
1) Increase visibility into complex IT environments through observability
Let’s look at a familiar scenario. Back in the day, when we bought a new car, it’s road-safe and ready to drive. Over time, no matter how many tests have been done, the check engine light inevitably appears. At this point, most people bring the car to a mechanic, the first step in a potentially slow and frustrating process. Identifying the problem, finding a solution, and providing a cost estimate could take days.
Nowadays, there’s software in cars collecting telemetry data, metrics, and error messages. The mechanic can identify the root cause within seconds after connecting to the car.
Similarly, modern IT environments can benefit tremendously from increased visibility, coupled with instructions on how to fix any flagged issues. This is where observability comes in.
Observability solutions provide real-time visibility, which is essential for the secure development of modern applications. Having a clear view of their entire infrastructure enables IT teams to quickly identify and resolve security issues before they develop into significant problems.
2) Build security in with the shift left
Let’s continue the car engineer analogy. Before dedicating time to building a car, every element is rigorously tested to ensure it can operate safely. The same should be true when developing an application. And this is what is known as the “shift left.”
Traditionally, security checks occur in the ‘testing phase’, which occurs post build. But at this stage any issue is already programmed into the device, meaning DevOps teams have to work retroactively. This significantly slows down the process and inhibits a thorough application review.
Implementing the shift left improves the development process by embedding security measures sooner. This enables DevOps teams to identify vulnerabilities during development – rather than after the project is completed.
End users expect their experience to be pleasant and fruitful. Or to put it another way safe and reliable. Developers should ensure that each element of an application runs correctly, and safely. DevOps teams can streamline this process by having security at the forefront of their development process. This will allow them to deliver safe and reliable products.
3) Be transparent by utilizing a software bill of materials
Now, more than ever, the technology industry needs to be transparent. It’s a turbulent time where sophisticated cyberattacks are being led by nation-states. The results of such a cyberattack can be catastrophic. Being forthcoming about the threats and vulnerabilities being faced is key to strengthening the security of our shared cyberinfrastructure.
Multiple government agencies are actively working to achieve collaboration. So far, it’s been instrumental in increasing cyber threat consciousness – but this must be taken much further.
Application developers should share a similar level of candidness by clearly communicating what the make-up of their product is. There are lots of ways to do this, but the best approach is a software bill of materials (SBOM) outlining each component of an application.
An SBOM provides a clear view of the software supply chain, helping developers identify and address vulnerabilities. For example, if a new vulnerability were to be discovered in an open-source library, an SBOM helps to pinpoint the affected applications and prompt the appropriate teams to take action. Knowing what materials are going into development also helps predict the final product’s functionality, as process developers can identify points of concern from the beginning.
Ultimately, the shift to modern applications brings a host of benefits. Any vulnerabilities increase the risk of a security breach, which can cause significant fiscal and reputational damage for companies – something to be avoided at all costs.
Nevertheless, these challenges and vulnerabilities can be overcome. By following the outlined steps, organisations can achieve a harmonious coexistence between embracing new technology, reaping its benefits, and upholding utmost security.
About the Author
Sascha Giese is Tech Evangelist at SolarWinds. SolarWinds began with two IT professionals trying to solve complex problems in the simplest way. Today, we still take pride in developing deep, real-world understanding of the challenges our customers face. That’s how we deliver intuitive, time-saving solutions and speed-to-value like nobody else.
