close search bar

Sorry, not available in this language yet

close language selection
 

業務のスピードを維持しながらクラウドネイティブなアプリケーションとAPIのセキュリティを確保

Securing cloud-native applications requires sophisticated tools. Find out why Synopsys scores highest for cloud-native application use cases in the latest Gartner report.

Cloud Native Applications | Synopsys

Cloud-native development models have become mainstream in recent years, and technologies such as microservices, serverless computing, containers, APIs, and infrastructure-as-code (IaC) are at the forefront of this trend. These new technologies enable organizations to rapidly build and run applications in distributed environments without relying on physical hardware infrastructure. This flexibility saves time and money across the software development lifecycle (SDLC), but comes with a security cost.

Security Concerns for Cloud-Native Applications

Securing cloud-native applications requires a thorough understanding of the interfaces exposed by microservices to various consumers, and appropriate measures such as configuring security and running container images. In recent years, organizations developing their own cloud-native applications have faced a variety of security incidents, including API usage security issues, source code vulnerabilities, and compromised account credentials.

There are two key concerns when deploying and managing cloud-based applications: expanding attack surface and increasing complexity. Accelerating the spin-up of cloud-native (serverless or container-based) workloads expands the attack surface exposure and potential attack vectors for all functions, APIs, and protocols of cloud-native applications. An ESG study of recent security incidents found that poor security when using APIs is the primary reason cloud-native application stacks are vulnerable to attack.

Cloud-native architectures complicate security governance and measures by requiring organizations to consider a variety of permissions, authentication, and access management issues. The more IaC is used in development, the more likely it is that the IaC template will be misconfigured due to coding mistakes. Errors such as critical data breaches, unauthorized access to apps or sensitive data are not detected until later in the development cycle. This makes administration more difficult and time consuming.

Traditional application security tools can’t keep up

Traditional application security testing (AST) tools were not designed for cloud-native applications and lack the coverage, speed and accuracy to meet the requirements of modern applications. Traditional AST tools have event-driven triggers for most API and serverless function calls, and some functions do not expose endpoints or URLs, providing visibility into modern application development and deployment architectures. lower. While sometimes touted as the best static scanning for cloud and serverless applications, in reality scanning code with zero-context constraints is not an effective AST solution.

A staggering 70% of teams use static application security testing (SAST) tools in development and web application firewalls ( WAF) and application monitoring tools. The report also shows a growing trend toward using new tools such as API security testing, IaC scanning, and interactive application security testing (IAST) during the development and testing phases of the SDLC.

Effective API security is not just about protecting and blocking vulnerable APIs with web firewalls and monitoring tools. API-based applications should be treated and managed as their own complete development lifecycle. Like the software application development lifecycle, the API lifecycle goes through upfront planning and design. Proper API design with API policies embedded in an organization’s overall business risk and business continuity program is required.

They should also perform internal housekeeping and create an inventory of all API-based applications that can be used for risk assessment, classification and quality control purposes. The ultimate goal is to focus on API-based applications that pose the greatest risk factor and are constrained by time and expert resources.

Continuous testing and validation is a must

The next step is the most important and missing link in API security today. Effective API security practices must incorporate real-time, continuous testing and verification of vulnerabilities in APIs (including custom, open source, and public APIs). For example, it is not enough to have an API tool that can detect all APIs in each application and configure the firewall to only allow access to APIs if they comply with defined risk policies. A good API strategy extends API discovery capabilities to incorporate dynamic testing, validation, and triage into runtime compile-time integration application testing with other open source and third-party codebases and APIs. to run continuously.

This is the key to an effective API security strategy. You need the ability to quickly identify, proactively test, and remediate applications rated highest risk by defining security policies and API risk taxonomies before moving to production release. In the API risk classification system, the exposure of the application (internal or external facing application), the type of information processed by the application (e.g. PII/PCI-DSS compliant payment-related information), the record length managed by the application (thousands to can reach millions of bytes), data breach/disaster recovery/business continuity impact cost, and other criteria can be applied.

In addition to SAST and WAF, organizations are adopting AST solutions such as software composition analysis (SCA), IAST, and API testing, according to Gartner’s latest cloud-native research. Modern application security testing solutions, such as IAST, do not require additional scanning, triage, or validation, eliminating extra time and testing cycles in a continuous pipeline and enabling security in a DevOps environment.・The burden of conducting tests can be reduced.

How Synopsys Helps Secure Cloud-Native Applications

Advanced IAST tools such as Synopsys’ Seeker® have unique capabilities that help improve the security of cloud-native applications. Discover, test, and validate all incoming/outgoing API calls, whether they are app-declared API calls or untested callable APIs. You can also track and test popular serverless functions such as AWS Lambda and Azure Functions without adding continuous pipeline scanning cycles and friction.

All the work is done autonomously in the background by the tool while the team runs its normal development and QA testing workload. DevOps and security teams can visualize information with highly interactive maps showing all critical and sensitive data flows, including vulnerable paths and potential sensitive data leaks. Development teams can get real-time information such as stack traces, detailed lines of code, and remediation guidance.

Seeker IAST does not rely on OpenAPI or Swagger files, unlike traditional dynamic scanners that require API specifications to perform security tests. Seeker can use an instrumentation agent to discover all callable APIs and generate OpenAPI documentation based on Postman or HAR files. It can also track and discover all application requests/responses using traditional payloads such as JSON, XML, or new format payloads such as GraphQL, gRPC, Kafka. You can also get a catalog of all endpoint calls, including untested callable APIs and URLs.

In addition to Seeker IAST, Synopsys offers comprehensive end-to-end scanning technology that helps improve the security of cloud-native applications. With Code Sight™’s lightweight SAST , you can instantly find and fix code vulnerabilities in your IDE. Coverity® static analysis and Black Duck® software composition analysis help improve the security of secure IaC , containerized applications and images. Synopsys offers a comprehensive range of application security testing tools and services that help you quickly and easily find and fix critical vulnerabilities such as access and authentication issues, cross-site scripting, and various types of injections. We have a portfolio.

For more information on Synopsys’ AST tools portfolio and why Synopsys received the highest scores for cloud-native application use cases, see Gartner’s 2022 Critical Capabilities for Application Security Testing. Download the Critical Capabilities report.

 
Masato Matsuoka

投稿者

Masato Matsuoka


More from セキュアなソフトウェアの構築