Fortifying your engineering ecosystem: The three pillars of application security

The engineering ecosystem has undergone a massive paradigm shift – more languages, more frameworks, and minimal technical or procedural barriers to adopt new technologies or implement third-party tools and frameworks. This comes as organizations are racing to ship software as quickly as possible to deliver new features and cloud applications to remain competitive.

To speed up development and deployment, many organizations have turned to continuous integration and continuous delivery (CI/CD) solutions for more automated and agile software testing, building, and deploying processes. This shift has brought unprecedented velocity, flexibility, and agility to engineering with 77% of organizations now deploying new or updated code to production weekly, and 38% committing new code daily.

Speed is great, but not when it comes at the expense of security. Bad actors are quickly recognizing the engineering ecosystem as a threat vector that is both easy to target and ripe for exploitation – often ensuing significant and lucrative results. The infamous Solar Winds attack occurred because a build system was exploited, and malware was spread to 18,000 clients. In another recent example, cybercriminals successfully infiltrated and disrupted CircleCI, a leading CI/CD platform storing highly confidential client secrets and tokens. These incidents underscore how a single unsecure element in an engineering environment can result in detrimental consequences at scale.

The engineering ecosystem is often overlooked as security teams tend to focus more on reducing runtime misconfigurations and vulnerabilities rather than addressing vulnerabilities across the entire attack surface. This new reality and rising attacks requires us to think differently about application security – the overarching security umbrella over the engineering ecosystem. The traditional AppSec challenge of preventing security flaws and misconfigurations from reaching production is much more complex. In parallel, there is a completely new breed of risks and threats focused on abusing security flaws in the different systems and processes across the software delivery chain, all the way from code to deployment.

Developing the Foundation for an Effective Application Security Program

An effective application security program for the modern engineering ecosystem can be broken down into three disciplines:

1. Security in the Pipeline (SIP)

SIP targets the code and artifacts flowing through the pipeline, en route to production, and aims to prevent security flaws and misconfigurations from reaching production environments. In SIP, we are required to continuously identify all development languages and frameworks in use across an organization’s entire codebase and ensure we have the appropriate scanners and engines bespoke to those languages and framework woven into the development process in the most frictionless way possible. This ensures new issues aren’t introduced into the codebase, and that existing issues are gradually eradicated.

2. Security of the Pipeline (SOP)

SOP focuses on the security posture of each and every individual system within the software delivery chain – from code to deployment – as well as the interconnectivity between these systems and the third parties they use (the software supply chain). SOP is based on the understanding that the engineering ecosystem has become a lucrative target for adversaries, who have realized that engineering ecosystems provide a highly effective way to execute malicious code in sensitive environments, and gain access to highly critical secrets and tokens. In SOP, rather than focusing on the code and artifacts flowing through the software delivery chain, as we do in SIP, the focus is on the security controls and measures around the delivery chain itself.

3. Security Around the Pipeline (SAP)

SAP is designed to ensure the integrity of the software delivery chain and apply the appropriate controls to prevent anyone, both humans and applications, from bypassing it. The reality is that achieving optimal SIP and SOP is only partially effective if an attacker can push code directly to production or deploy a malicious container directly to K8s. To achieve effective SAP, we must be able to answer 2 main questions:

• Is everything that is running in production originating from the software delivery chain? Did everything undergo all the appropriate checks and controls?
• Are all the appropriate visibility and posture controls in place to ensure that the software delivery chain cannot be bypassed?

Effective application security now extends far beyond the traditional scope of code scanning and must reflect the modern engineering environment. SIP, SOP, and SAP center around supporting the speed of engineering without compromising on risk and security management. By focusing on these three disciplines, organizations can guide their security and developer teams to build modern, secure, and scalable engineering ecosystems in the cloud.

Learn about the top 10 CI/CD security risks and what practical actions you can take to secure the engineering ecosystem.

Palo Alto Networks

Daniel Krivelevich is a cybersecurity expert and problem solver, enterprise security veteran with a strong orientation to application & cloud security. After an extensive service in Israel’s Unit 8200, Daniel held multiple positions in the AppSec domain spanning across offensive, defensive and consulting positions. After having led Application Security and Cloud Security with Israeli IR firm Sygnia for four years, working with 100+ enterprises on optimizing Cyber resilience, Daniel co-founded Cider Security as the company’s CTO, leading the company’s product and technology all the way from inception to acquisition by Palo Alto Networks. Today, Daniel serves as CTO of AppSec for Palo Alto Networks.