Learn how the Seeker and Red Hat integration helps deliver security and speed of software development for container-based apps.
Security and speed in software development are not mutually exclusive. Red Hat, the open source software giant, and the Synopsys Software Integrity Group are joining forces to prove it.
Synopsys is bringing Seeker®, its automated interactive application security testing (IAST) tool, to Red Hat application runtimes like JBoss EAP, OpenJDK, and WebSphere with OpenShift Container Platform to secure a variety of software applications.
As Gautam Baghel, research and development engineer with the Synopsys Software Integrity Group, puts it, “the core idea is that you get a better sense of security when you verify your application with Seeker while hosting it on a robust web framework from Red Hat JBoss or any of the other Red Hat Runtimes. The two are better together than they are separately.”
An IAST tool can help application security keep up with the exponential increase in the speed of software development for container-based applications. Seeker’s strength is that it can serve a multitude of applications, whether they are microservices-based, cloud-based, or standard architecture. Application and security deployment can be fully automated, container-based, or manual.
“Instead of the huge monolithic applications of the past,” Baghel said, “the industry is moving toward microservices-based applications, with smaller components handling isolated requests. This is due to the need to go faster and scale better.”
“The advantage of containers is that you can have the entire application scale up really quickly, in a fraction of the traditional time, depending on the resources you have,” he said. “You can also scale a lot. You can easily increase the capacity of an application to have a thousand container replicas, as opposed to a virtual machine where scaling could be challenging, with underutilized resources as well.”
Indeed, speed is essentially the “coin of the realm” in modern software development, as documented in the latest “Building Security In Maturity Model” (BSIMM), the annual report by Synopsys.
Development teams are moving to use security testing tools that keep up with them. Among the BSIMM’s key findings is this message from developers: “We’d love to have security in our value streams if you don’t slow us down.” That’s what Seeker does.
“Seeker IAST is based on instrumentation agents, much like application performance monitoring tools. It has access to the application code, HTTP requests, and runtime values. This information richness provides it with unparalleled analysis speed and accuracy,” Baghel said. “Those lightweight Seeker agents can then be easily deployed together with the application containers onto the testing environments.”
Seeker agents are written and configured to work with whatever language and framework the application uses. “For example, if you’re using enterprise Java to create your application, agents are available for Java frameworks like Red Hat JBoss EAP, JBoss Web Server, and Red Hat OpenJDK. It also supports open source frameworks like Tomcat and GlassFish. The agents employ code instrumentation techniques inside a running application to scale and address large enterprise requirements,” Baghel said.
The Seeker agent is not complicated, which adds to its value. “What it’s doing is quite simple. It’s not supposed to be complicated,” Baghel said. “It’s intercepting requests that are coming in and going out from different pieces of the application. And based on those requests flowing through the application, it can quickly find vulnerabilities in software.”
Simplicity doesn’t mean ineffective, however. The Seeker agent offers multiple advantages to developers focused on speed:
“Seeker has in-depth visibility into the application because it’s running with the application and can intercept requests. When it finds a vulnerability or a sensitive data leak, it knows the exact location of the line of code in your application and suggests ways to fix it. This is a great feature for developers who want to fix issues quickly and have a faster delivery cycle,” Baghel said.
Finally, Baghel points out that with a microservices-based architecture, Seeker has dataflow visibility. “If you have multiple containers communicating with each other, you can visualize if any of them are passing malicious or insecure data. If unsafe data is being passed between the browser and databases, or within the application, you’ll be able to identify and rectify that easily.”
The bottom line? “If you’re using Red Hat JBoss in standalone fashion or with OpenShift, you get a secure infrastructure to boost your application, but your application itself is still vulnerable. Get the safety and security of your application from Seeker,” Baghel said.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.