Missed a session at the Data Summit? View here on demand.
Presented by Apiiro
Cloud-native apps have unique security vulnerabilities, requiring specialized knowledge and resources to address them. Learn about the challenges associated with cloud native computing, ways to identify and address potential issues, and more in this VB On-Demand event.
Access on demand here!
Anheuser-Busch InBev SA/NV (AB InBev) goes cloud-native. Every workload the company develops today is focused on leveraging the resources and computing power of the cloud.
“With more applications and more developers, the time will come when we will produce more lines of code than hectoliters of beer,” said Alex Mor, the company’s VP of security research. “Every digital leader in the organization has ideas and we want to make them come true. The cloud gives us the ability to do things in real time, starting from an assumption, gradually correcting and super-fast release, many times a day, with more developers, more ideas, more digital.”
But going cloud native also comes with security risks – the cloud is not designed by default or secure. It has completely changed the way applications, environments, microservices and APIs are secured. The beauty of cloud-native and a good CI/CD process is that when you discover a vulnerability and how to fix it, you fix the code, patch it and deploy it in no time.
Returning to the zero-trust model
But the vulnerabilities will occur in almost any application you touch. Now that you’re using someone else’s cloud, you’re introducing a supply chain, dependencies, containers, and Kubernetes systems. How do you secure your release pipelines so that your applications go all the way to the Kubernetes container from the moment they are developed and you know nothing has changed?
You need to go back to the zero-trust model, especially in developer environments. Because the main way to affect an application’s security is going straight to the source.
“In a sense, the developer has the keys to the kingdom in his workstation, because it’s all interconnected,” Mor says. “You have to go to the developer and teach them about the risks of the cloud, about secure defaults, about dropping capabilities, and dropping everything you don’t need.”
And that’s one of the biggest risks they run, says Mor. The cloud puts so many features at your fingertips, it can be hard to remember to turn off the features you don’t use. If you don’t use SFTP or the debugger, disable it and reduce the attack surface.
Hardening the environment
Mor’s team also implements a standard application security program, starting with understanding what the application is going to do, what information is stored there, who has access to the application and how users are authenticated, and so on. They go through the standard application security assessment, code assessment, testing, monitoring, and so on, and then go one step further, bringing the idea of zero trust and defense to the forefront.
‘Trust no one. Suppose you have been violated and deny access by design, and always check the privileges,” he says.
There’s also things like implementing image signature, and Kubernetes and database hardening – you don’t have to maintain the metal, you have to update it, strengthen it, protect it, secure it.
“Understanding and analyzing every technology we use, and then understanding the security features we need to implement to defend that, is the strategy we need to follow to mitigate the impact of the explosion,” he says.
Building security buy-in across the organization
It’s hard to find ROI in security, and it can be hard to convince the C-suite that security isn’t free, but something that should be built into an organization’s must-have list.
“We do secure coding and training and penetration testing and scanning, and we need to invest in that, just as we need to invest in technical tools to measure quality,” says Mor. “For me, every C-suite, every senior business manager in the organization, they think about security once a day, during their busy routine. We try to fix that for them every now and then so they understand that security is now an issue for everyone.”
Mor has the privilege of interacting with the C-suite on a quarterly basis, showing them what his team is doing, what is working, and where they need the decision makers to intervene. He challenges them to find ways to reach every new vendor, and every new person who enters code, and implement secure code training from scratch. That could be monitoring, mentoring, assigning a technical or security rating for pull requests, and so on.
The most important thing, he says, is to ask the C-suite for advice and involve them in the process so that the necessary security mandates come from above and are more likely to be implemented as firmly as needed.
Key learning points
The most important thing for IT leaders to remember is that cloud native apps don’t equate to cloud native security, Mor says, so it’s important to stay on top of all the potential threats out there. You could even look at the OSWASP Top 10 Security Risks report for cloud native applications and build a multi-year plan around every risk you see there.
“There are so many that we need to protect ourselves from. We like to say that the attackers see us. They see through us. They can do whatever they want. They’re just waiting for the right moment,” he says. “Develop a quarterly, 30, 60, 90 day plan. What am I going to tackle in Q1? What problem or gap do I want to reduce? What risk do I want to reduce? Build up more and more layers along the way.”
Join this VB On-Demand event now to learn more about the security risks inherent in the cloud, how to develop your security plans to stay ahead of ever-changing attacks, and more.
On-demand access here.
What you learn:
Identify and enable security champions Build and scale a risk-based AppSec program Find and remediate secrets in code and IaC misconfigurations Effectively prioritize risk across the SDLC Find the root cause and identify the relevant developer
Alex Mor, Global Director of Application Security, AB-InBevMoshe Zioni, VP Security Research, ApiiroKyle Alspach, Staff Writer, VentureBeat (moderator)
VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more