Cloud, Containers, Orchestration Big Factors in BSIMM9

As software and applications increasingly head to the cloud, traditional enterprise software security initiatives are getting turned on their head. The push to the cloud, experts say, isn’t just taking applications and services off premises: It’s redefining how DevOps and traditional IT departments tackle security.

That’s the takeaway of Synopsys’ ninth annual Building Security in Maturity Model report (BSIMM9) released Tuesday. The report revealed an emerging new dynamic for software security professionals.

“The cloud is the tail [that] is wagging the software security dog,” said Gary McGraw, vice president of security technology at Synopsys.

He said that independent software vendors, Internet of Things vendors and cloud vendors are converging on a similar architecture, which is necessitating a similar approach to software security impacting all sectors of technology.

“We’ve heard a lot of hype over the years about cloud and how it’s going to change everything,” McGraw said. “What we’re finding in this year’s BSIMM is we are past the hype. People are actually doing real stuff. Software security is evolving past the hysteria to match real architectural needs.”

Driving that change are three new activities among the 120 firms participating in the annual BSIMM report. The BSIMM tracks 116 unique activities among 415,000 developers.

An industry migration of software and services to application containers running on cloud platforms such as AWS, Microsoft’s Azure and Google Cloud Services has forced the software security community to adopt management software for orchestrating complex systems.

“While cloud, containers and containerization are not new phenomenon, what is new is the use of cloud orchestration tools by DevOps,” McGraw said. He said software security groups are now forced to use orchestration tools for managing disparate and sprawling hybrid cloud environments.

This transition has taken some of the burden off of traditional system administrators and placed it on DevOps. The byproduct is more software to audit as DevOps problem solve the management of hybrid infrastructures with scripts to monitor processes such as software-based data backups, load balancing and patch management.

The BSIMM outlines a third activity – keeping tabs on all the moving parts (software supply chain). McGraw said as infrastructure, applications and services become virtualized the number of unique components that make up a network has skyrocketed.

“In a cloud architecture you can have pieces of functionality that are scripts, code and third-party services located all over the place in a highly distributed fashion. You have to keep track of which versions of what you’re using from who in your application,” he said.

Failing to efficiently manage software components has lead to serious and costly breaches as hackers look to find just one vulnerable component as a springboard to breach a company. The 2017, the Equifax breach and the Struts vulnerability was one of the most costly breaches in corporate history.

McGraw said as the software security community pulls triple-duty tackling orchestration, software supply chain management and some traditional system admin tasks they have less to complaint about. “They no longer get to whine. Now they can just get out in front of these problems and solve them.”