As more workloads move to the cloud, application security has become very complex. That's especially true of applications that rely on open source code sharing.
"[Because] there are so many moving parts when you get into production, there are times when security folks don't really understand who is responsible for securing what. They might assume that an IaaS [infrastructure as a service] provider is responsible for securing the whole thing, but that might not be the case," said Paula Musich, a research director at Enterprise Management Associates. "At the same time, it's easy to miss something because these infrastructures are so complex."
Companies are doing their best to address issues related to security, compliance and consistency, but the problem is big enough that no one tool can fix these issues. Cloud-native stacks are typically composed of a variety of technologies such as serverless, container, platform and infrastructure, and these typically each require different solutions. For example, some tools address problems during development such as vulnerability identification, while others focus on detecting compliance and governance issues in production.
Accurics, a Pleasanton, Calif.-based startup, is trying to fix that problem by addressing security issues in the cloud earlier in the development process. The company calls this technique code-to-cloud security. CEO Sachin Aggarwal says it's a more holistic approach to security that protects the full cloud-native stack through the DevOps life cycle and ensures that the security posture defined through code does not drift once the infrastructure is provisioned.
Accurics says this is a 4D approach to application security because it protects the cloud-native stack throughout the DevOps life cycle, from the moment it is defined in code until its release into production and beyond. When cloud deployments drift from their intended posture, the organization is alerted and the technology can revert back to the last known compliant state.
To address security as code, the solution continuously scans code as the application or infrastructure as code is being developed, looking for vulnerabilities and compliance violations. Aggarwal said this approach is different from that of other solutions that secure infrastructure as code (IaC). Most are point solutions focusing on a specific tool; however, most organizations use a variety of IaC tools, he said. Accurics scans a variety of infrastructure code across the full cloud-native stack and produces a holistic view of security and compliance across all IaC, he said.
The solution also aims to address configuration drift, where applications are changed unintentionally due to changes by users. Current solutions address configuration drift by establishing a baseline of the infrastructure configurations in production and then monitoring for any deviations from that baseline. Aggarwal said that's too late in the process because the cost of remediation at this stage is high. As a result, some organizations accept the risks rather than address them, which means that the baseline in production already contains risks and monitoring for new configuration changes that introduce risk is ineffective.
The Accurics code-to-cloud security solution enables organizations to implement policy guardrails that enforce security best practices during development. Doing it this way helps ensure that infrastructure is never provisioned with risky configurations.
Accurics also scans infrastructure as code to pinpoint violations of compliance and cybersecurity practices. The company does this by implementing compliance guardrails during development to address violations and ensure that non-compliant infrastructure is never provisioned. Once the infrastructure is provisioned with a compliant posture, it should be monitored for any incremental changes that introduce violations; this will significantly reduce alert fatigue and risk exposure, Aggarwal said.
Nipping these issues in the bud earlier in the development process makes a lot of sense, Musich said.
"The further away from the development of a particular piece of code that security identifies problems, the more expensive it is to fix," she said. "Finding the vulnerabilities as the application is being developed or as close to that point as possible so they can be fixed before it goes into production is cheaper and faster, and you're not creating a battle between the security people, who have their goals, and the application developers, who have conflicting goals."