DevSecOps

Integration of Application- and API Security

From DevOps to DevSecOps

APIs and web applications are being developed ever more agilely and rolled out faster than ever before thanks to DevOps. To ensure that security does not become a brake block, a Shift Left is necessary. However, automated security checks in development are not enough. For comprehensive security of APIs and applications, a shield right is needed at the same time.

Shift Left: Half the truth

Why is there a need for a shift left?

Application security is often addressed very late. All too often, this results in delays shortly before the productive roll-out. Increasing agility and ever shorter release cycles further increase this problem. The Shift-Left security model attempts to identify possible weak points earlier - for example, where they arise: in software development!

Example: If a developer is already made aware during programming that his new code is problematic, he can solve this quite quickly. If the same problem is only uncovered during a penetration test, this results in a much greater delay.

To ensure that ideas can be tested quickly and feedback obtained early, development, security and operations work together in the same team. Security tools are automatically integrated into every phase of the software development life cycle. The result: secure software with the speed of Agile and DevOps. Security thus becomes a cost saver and accelerator at the same time. Find out what this has to do with a shift left in our blog article "Leftward slide in security culture".

Read blog article

Cornerstone of Shift Left

Automated checks uncover potential problems before delivery:

  • Software Composition Analysis (SCA): open source libraries and other code dependencies are checked for known security vulnerabilities.
  • Static Application Security Testing (SAST): Your own program code is checked for anti-patterns and possible vulnerabilities already during development (white box).
  • Dynamic Application Security Testing (DAST): The application running in the test environment is examined externally for vulnerabilities (black box).

Shift Left is not enough

Shift Left reduces the time and effort required to fix many security problems. However, the automatic checks are limited in their effectiveness:

  • The automated checks primarily detect known vulnerabilities and typical programming errors. 
  • It takes an average of 200 days to fix a known vulnerability. During this time, the application must not be unprotected!
  • Security testing does not protect against bots, denial-of-service or zero-day attacks.

Shield Right: Protection at runtime

Shield Right refers to the effort to comprehensively protect APIs and applications even during operation. Runtime protection is achieved through a combination of security building blocks:

  • Web Application and API Protection (WAAP): comprehensive runtime protection against a wide variety of attack vectors through WAFs and API gateways.
  • Identity and Access Management (IAM) + 2FA: User-friendly and strong authentication to prevent hackers from easily logging in (e.g. with stolen passwords).

Why is the "Shield Right" needed??

  • Runtime protection bridges the time until the full patch.
  • A modern WAAP solution can even thwart unknown attacks..
  • The reuse of standard safety building blocks ensures more development speed and flexibility.

What do I have to pay special attention to with "Shield Right"?

Shift Left and Shield Right complement each other and provide all-round application protection across all phases of the software lifecycle. To avoid a gap between the two initiatives, runtime protection must be integrated as early as possible (link to benefits below).

WAAP meets DevSecOps: 

Microgateways for agile application protection

Traditional application firewalls and API gateways tend to be centrally operated and are often incompatible with modern DevSecOps principles. Under these circumstances, application teams find it difficult to take more responsibility for security. In order for application protection to have its full impact in agile enterprises, microgateways are increasingly being deployed. Airlock Microgateway is a lightweight WAAP solution designed specifically for use in container environments.

Benefits of Microgateways

  • Maximum autonomy for application teams: developers and DevSecOps engineers are given full control over application-specific security rules. When the application is updated, the customized security rules are rolled out simultaneously and autonomously.
  • No costly delays just before release: The lightweight Microgateways ensures effective application protection already during development and in the test environment. Integration problems are thus detected early and practically eliminated.
  • Infrastructure + Security as Code is a prerequisite for automating and embedding security in CI/CD pipelines. This means that changes to security rules are always made in a controlled, traceable and, if necessary, automatic manner.
  • Zero Trust: Microgateways ensure effective implementation of the Zero Trust principle by shifting security checks away from the perimeter to the applications.

 

Are you a developer? Test the Airlock Microgateway right now in the Community Edition.

Want to learn more about DevSecOps? Read our whitepaper

In this white paper, you will learn the most important insights into how you can successfully and efficiently implement DevSecOps, which security components are required for this and which advantages a microgateway architecture brings.

 

Request Whitepaper DevSecOps

Are you interested in Zero Trust approaches? Read our whitepaper

The continuous digital transformation of the world is advancing and has a profound impact on private and professional life. Learn about the effects of continuous digitalisation and its impact on modern information technology.

 

Request Whitepaper Zero Trust

Information for you

-Our whitepapers-

Study Application and API Security 2022

In a recent study in cooperation with CIO, CSO and COMPUTERWOCHE, Ergon Airlock looked at application and API security in the container environment.

Request study

Zero Trust is a journey

The digital transformation of the world continues to progress, and it is profoundly affecting private life and job profiles in a manner that was hard to imagine just a few years ago.

This whitepaper covers the effects of continuous digitization and its implications.

Request free of charge

Toward DevSecOps

In this whitepaper, you will learn the most important insights into how you can successfully and efficiently implement DevSecOps, which security components are required for this, and what benefits a microgateway architecture brings.

Request free of charge

Airlock 2FA - Strong Authentication. Easy.

The two-factor authentication in the area of IT security offers double the security.

Find out more about strong authentication and the possibilities that Airlock offers in our whitepaper.

Request free of charge

Further whitepapers

We provide whitepapers on these and other topics free of charge:

  • successful IAM projects
  • Compliance
  • Data protection (GDPR)
  • Introduction of PSD2
  • PCI DSS requirements
Request free of charge