If ever there was a multi-faceted problem in IT, cybersecurity is it. Networks, endpoints, passwords, physical machines—for any semblance of real protection, they all need to be secured against an ever-evolving population of attackers. And let's not forget about applications, which have become an increasingly popular attack vector as software development gets more complex and opens up a greater attack surface.
In this episode of Cloud Native in 15 Minutes, Guy Podjarny—co-founder and president of security startup Snyk; former CTO of Akami; and co-host of The Secure Developer podcast—delivers some serious knowledge on the state of application security, especially as it relates to what he calls "security hygiene at scale" and operating at the speed of today without slowing down. Essentially, he explains how the numerous components (often open source) that comprise modern applications, and the speed at which new code is deployed, present new challenges that many organizations have yet to catch up with. Apart from advice on dealing with those issues at a software level, Podjarny also explains how organizations can restructure their teams to more effectively address security at all levels.
The whole episode is very informative, but here are a couple of excerpts where Podjarny details the gist of the situation, as well as the specific issues that open source software presents.
Development never stops
“Open source is a component of DevOps, if you will, and a whole stack of changes that really transformed the way software is developed. It’s developed faster—… the path from writing a line of code to deploying it is much, much faster—and it is continuous. It doesn’t stop. From CI/CD to myriad other technologies, including open source components and including containers, it just became continuous.
“That really rocks the boat for security, because security’s natural motion has been to work through gates—it’s, ’You stop here, and you will audit.’ So as software becomes fluid, becomes continuous, the opportunity to do those stops and to audit goes away, and that changes the world of security to need to embed itself more into the pipelines, into that continuous process.”
Open source risks are about prevalence and people
“Definitely open source is not less secure, nor more secure, than closed source code. Nor is a DevOps methodology or a continuous pipeline more or less secure than a different approach. They just have different properties. Specifically, I do come back to people.
“When you think about open source, for instance, it does two things. One is prevalence. Because open source is there, because you don’t want to reinvent the wheel, then you go off, you have a piece of code that is very, very useful and everybody embraces it. So it’s not that that piece of code—OpenSSL or Bash or the Docker Engine or whatever it is—is more or less secure, it’s just that it’s amazingly prevalent—far more so than any commercial software.
“So when a vulnerability does get found in one of those components, it has a whole world of victims available to it. So its implication on the entire internet ecosystem could be seismic, could be far more substantial than commercial software. In that sense … its security is more important.”
…
“The other, and maybe very people-oriented aspect of open source, is one of ownership. It has to do with the fact that an organization that uses open source is getting a piece of value for free, but they’re downloading it from the internet and their use of it is at their responsibility. So organizations need to build a new muscle, they need to understand how do they use this software they did not write and take ownership of securing it, even though it’s not their developers that wrote it.”
Subscribe here
Cloud Native in 15 Minutes publishes bi-weekly, and you can find it on most of your favorite apps and platforms, including:
Learn more about cloud-native security
Snyk Service Broker for Pivotal Platform
What is cloud-native security?
Code that writes code? With code robots from Atomist and Snyk, the future is now