We’ve noticed that there is a lot of misinformation and knowledge gaps out there about application security for cloud-native stacks, which isn’t super surprising given how fast the world has changed. Many of the tactics and underlying principles of cybersecurity in the monolithic world of 2013 simply don’t apply to the dynamic and data-heavy microservice-based systems that we have quickly come to depend on today, and the game of catch-up for engineering teams is falling dangerously behind.
As hard as it is to solve cloud-native application security problems, it’s also hard for many engineers to even understand what exactly the problems are that are going unsolved, especially when the scale and speed of Kubernetes deployments and their merry-go-round of service and API relationships are on an ever-accelerating tilt. Add to that the flurry of acronyms used to describe cybersecurity products out there, and the whole space can give a headache to even the most dedicated pedant.
That’s why we decided to write a book.
Demystifying application security with straightforward language and examples is an important step towards securing cloud-native stacks everywhere. Having worked on security problems with rapidly scaling systems over the last two decades, all the way from Operating System Kernels to the Edge to the Cloud and beyond at the scale of billions of devices, billions of VMs and billions of services, we’ve seen how security challenges repeatedly ride the wave of systemic change, emerging in catastrophic ways, often while teams are still just trying to understand the actual boundaries of what they need to protect.
One way in which these challenges rear their ugly heads is through the amorphous attack surfaces that are constantly evolving, like an endless game of “whack-a-mole,” with nefarious actors popping up from blind spots that many engineering teams know are there, but they can’t really put their fingers on exactly where they are or how to plug them up in a meaningful and long-lasting way.
After a casual discussion a few weeks back with an expert in earthquake building codes, I realized that the state of being a security engineer today is kind of like being an architectural engineer tasked with evaluating building safety in an earthquake-prone area who can see quite clearly that a teetering building slapped up in a hurry is a disaster waiting to happen, but who doesn’t have the power or the means to fix it. It’s a very stressful and disempowered place to be, especially for someone who has put a lot of their life’s effort into developing their expertise in such an important, human-impacting space.
What would it take for our example earthquake expert’s knowledge to actually prevent a disaster? What is actually required for the chain of decision-makers and conflicting priorities to make it from that expert’s opinion, through the bureaucratic hurdles of government, the purse-strings of private industry, all the way to the rickety unenforced studs holding up that building’s foundations, so that when the inevitable shaking unleashes, the people who depend on that foundation are left secure and unharmed?
Information is key, and a common language between the various stakeholders a must. A clear outline of exactly how catastrophic the risk is, and how the various design choices (and gaps) contribute to the potential disaster must also be clear to everyone. The fewer acronyms the better, an analogy here or there for the non-engineers, and then… a lot of straightforward information that helps set out a practical framework for shoring up those gaps.
While the importance and human impact of earthquake building standards is very tangible (as are the consequences of shoddy workmanship), the consequences of security breaches of PII data also have a huge impact on individuals across the globe. Just look at the human consequences of the private PII data that has been hacked from all sorts of critical systems ranging from mortgage brokers to medical records to password managers. So, shouldn’t we have building codes for application security too?
In Redefining Application Security for the Modern World, we aim to provide a simplified framework for understanding modern application security architecture in a holistic and pragmatic way. We then dig deeper into what it will take for specific tactics that the old world relied on, such as Zero Trust microsegmentation, to be successfully applied in an IP-agnostic cloud-native world so that application internals can be just as secure as the firewall-protected data center fortresses of the old world were.
Redefining Application Security for the Modern World will be available in paperback and ebook formats on April 24, 2023. Want a free copy? Sign up here