Presented by Apiiro
Cloud-native apps have unique security risks, which can take specialized knowledge and resources to remediate. Learn about the challenges that come with cloud-native computing, ways to identify and address potential issues and more in this VB On-Demand event.
Anheuser-Busch InBev SA/NV (AB InBev) is going cloud-native. Every workload the company develops today is focused on leveraging the resources and the compute power of the cloud.
“With more and more applications, more and more developers coming in, the time is coming when we’re going to produce more lines of code than hectoliters of beer,” says Alex Mor, the company’s VP of security research. “Every digital leader in the organization has ideas, and we want to make them happen. The cloud brings us the ability to do things in real time, starting from an assumption, correcting along the way, and releasing at super speed, many times a day, with more developers, more ideas, more digital.”
But going cloud native also brings security risks – the cloud is not secure by default or design. It has completely transformed the way applications, environments, micro-services, and APIs are secured. The beauty of cloud native and a good CI/CD process is that when you uncover a vulnerability and how to remedy it, you fix the code, patch it, and it’s implemented in a snap.
Returning to the zero-trust model
But the vulnerabilities will occur in almost every application you touch. Now that you’re using someone else’s cloud, you’re introducing a supply chain, dependencies, containers, and Kubernetes systems. How do you secure your release pipelines so that your applications go from when they’re developed all the way to the Kubernetes container, and you know that nothing has changed?
It takes going back to the zero-trust model — especially in developer environments. Because the main way of influencing the security of an application is going right to the source.
“In a way, the developer has the keys to the kingdom in their workstation, because it’s all connected,” Mor says. “You need to go to the developer and teach them about the risks of the cloud, about doing secure defaults, about dropping capabilities, and dropping whatever you don’t need.”
And that is one of the biggest risks they encounter, Mor says. The cloud brings so many features right to your fingertips, it can be difficult to remember to simply switch off the ones you’re not using. If you’re not using SFTP or the debugger, turn it off, and make the attack surface smaller.
Hardening the environment
Mor’s team also implements a standard application security program, starting with understanding what the application is going to do, what information will be stored there, who will access the application, and how users are going to be authenticated and so on. They’ll go through the standard application security review, code review, testing, monitoring, and etc., and then go the extra mile, making the idea of zero trust and defense front and center.
“Don’t trust anyone. Assume you are breached and deny access by design, and always check privileges,” he says.
There are also things like implementing image signing, and Kubernetes and database hardening — you don’t need to maintain the metal, but you have to update it, harden it, protect it, secure it.
“Understanding and analyzing every technology we’re using, and then understanding the security features that we have to implement to defend that, is the strategy we have to take to limit the blast impact,” he says.
Building security buy-in across the organization
It’s hard to find the ROI in security, and it can be hard to convince the C-suite that security is not free, but something that needs to be built into an organization’s list of must-haves.
“We do secure coding and training and penetration testing and scanning, and we have to invest in that, just like we have to invest in engineering tools to measure quality,” Mor says. “For me, every C-suite, every senior business manager in the organization, they think security once a day, throughout their busy routine. We try to bump that up for them once in a while, so they understand that security is now everyone’s problem.”
Mor has the privilege of connecting quarterly with the C-suite, to show them what his team is doing, what’s working, and where they need the decision-makers to step in. He challenges them to find ways to reach every new vendor, and every new person committing code, and implement secure code training from the start. That could include monitoring, mentoring, assigning a technical or security review for pull requests, and so on.
Most importantly, he says, is to ask the C-suite their advice and involve them in the process, so that necessary security mandates come from the top down and are more likely to be implemented as firmly as necessary.
The most important thing for IT leaders to remember is again, cloud native apps don’t equal cloud native security, Mor says, so it’s important to stay on top of all the potential threats out there. You might even look at the OSWASP Top 10 Security Risks report for cloud native applications and build a multi-year plan around every risk that you see there.
“There are so many that we have to protect against. We like to say that the attackers see us. They see through us. They can do whatever they want. They’re just waiting for the right time,” he says. “Derive a quarterly, 30-, 60-, 90-day plan. What am I going to tackle in Q1? What problem or what gap do I want to reduce? What risk do I want to reduce? Build more and more layers as you go.”
To learn more about the security risks inherent in the cloud, how to develop your security plans to stay ahead of ever-evolving attacks and more, access this VB On-Demand event now.
What you’ll learn:
- Identifying and enabling security champions
- Building and scaling a risk-based AppSec program
- Finding and remediating secrets in code and IaC misconfigurations
- Prioritizing risks effectively across the entire SDLC
- Finding the root cause and identifying the relevant developer
- Alex Mor, Global Director of Application Security, AB-InBev
- Moshe Zioni, VP of Security Research, Apiiro
- Kyle Alspach, Staff Writer, VentureBeat (moderator)