Ensuring application security in a Continuous Delivery world

Tim Dorr
CTO and Founder

Security is a funny thing: It’s something on which you spend a lot of time and effort in the hopes that no one will ever think twice about it. In fact, it’s one of the most important elements of your application because no matter how great a product you have, no one will use it if it’s not secure.

So what exactly does it take to ensure application security in a Continuous Delivery world? Here’s a look at three key areas on which you need to focus, plus some of the top tools to make your efforts a success.

Operational security

What it is: Operational security is all about how you run your application, including how your DevOps team keeps track of data and locks down any access points. Ultimately, it’s not just about having certain security elements in place, but also making sure they work and get used correctly. Think of it like this: If you have a bank and you never lock the doors, it’s not going to be secure. The act of locking those doors is operational security.

How to handle it: The most common practices for operational security include introducing best practices for handling certain operational protocols, performing regular audits and tests and running periodic scans to make sure everything is configured appropriately and not vulnerable to any sort of attack.

Additionally, several compliance standards exist to govern operational security, such as SOC 2 for trust services, HIPAA for health information and PCI for processing credit card information. Ensuring compliance with these standards is an important part of maintaining operational security.

Tools to use:

There are a variety of tools for scanning Kubernetes configurations to make sure everything is set up properly and to help easily identify any vulnerabilities that might exist. These tools include:

Application security

What it is: Application security comes down to how you write your application. Specifically, it involves making sure that developers write code in a secure way that avoids introducing bugs or creating points of vulnerability. Going back to the bank example, a question of application security would be if your builders even put in locks to begin with.

How to handle it: The central question around application security is whether or not developers write code in a secure manner, including how they introduce areas of defense against known vulnerabilities. For example, if you know that cross-site scripting (XSS) is a common security problem, how can you write code that’s resilient to those attacks?

Overall, how to handle application security is difficult to nail down with any specificity because there are so many differences across organizations based on factors like the style of application and the specific development language and framework used to build that application.

Tools to use:

Dependency security

The last area of security centers around solutions on which your application depends in order to run. We can break this down further into direct application dependencies and operating environment dependencies.

Direct application dependencies

What it is: No one writes software in isolation or from scratch. Rather, it’s very common to have dependencies on other software to outsource some work within the application framework, such as a tool for setting up a web server to receive requests. This area of dependency security deals with code that your team didn’t write and doesn’t operate directly, but that’s critical to getting your application online.

How to handle it: Every development language has some type of package manager that manages the different versions of any applications on which your own software depends. These scanners should regularly check the dependent applications for any known security vulnerabilities and alert you if any updates are available (these can be general updates or specific security patches).

Tools to use:

Operating environment dependencies

What it is: Every application also has dependencies beyond the code of the application itself, for example a dependency on the operating system on which the application runs. At the very least, every application is dependent on the development language used to build it. Beyond that, most applications also have a dependency on the container base image that serves as the foundation for the application.

How to handle it: Unfortunately, operating environment dependencies are usually an afterthought. Most organizations running their applications in a container choose a major provider like Ubuntu, but don’t regularly check for updates to the specific container image in use. However, that image underpins the entire application, so if it’s out of date or insecure, it can cause enormous issues. Overall, this area of security is a huge blind spot that has caused widespread security issues in the past.

As with the other types of security outlined here, the best way to handle operating environment dependencies and avoid that type of issue is to regularly monitor for (and then implement) updates to those dependent environments.

Tools to use:

How secure is your application?

Security can make or break your organization, and while you never want your customers to have to think twice about it, it’s something your own team should obsess over. From operational security to application security to dependency security, there’s a lot to consider. Is your team prepared to manage every layer?

Contact us today to learn how Spaceship can help ease the burden for your team and provide peace of mind through always-up-to-date security measures.

Want to be first in line to get early access to Spaceship?

Be the first to know when we launch! Sign up for our waiting list below: