Recent vulnerabilities and customer conversations have made a few things crystal clear in the last few months:
- There is no such thing as an invulnerable app, so inline defenses protecting the app are a must (yes, even in the cloud).
- All defenses must be automated in the cloud – discover apps, deploy defenses, and enforce policy. Or defenses will be bypassed – remember that the developers are in charge.
- 95% said log4j was a wake-up call for cloud security
- 82% said log4j vulnerability changed their priorities
- 77% still dealing with Log4j patching
In other words, these vulnerabilities are universal, there will be more of them, and each will have a long tail. You can see the research report here.
Back to my original key points – there will always be vulnerabilities in software. The difference is that with open source software, a single supply chain vulnerability applies to multiple applications (thousands), and so attackers will work harder to find and exploit them. On the positive side – developers are in charge (good for business), moving rapidly, and in many cases, motivated to fix security issues, e.g., shifting left.
Despite these positives, there are still two things that folks are concerned about:
- There is always going to be a window of vulnerability. It might be 6 hours, 6 days, 6 weeks, or 6 months – depending on how big the issue is, how much control the org has, and how good they are at exercising that control. During that window, security people will not sleep.
- Sometimes “patching” is worse. Or simple app configuration errors.
Therefore, defenses that protect the app from outside the app (network-based, agent-based, firewalls, IPS, WAF, DLP, etc), will always be necessary. The issue here is that previous implementations of those controls (hardware appliances in the data center, virtual appliances in the cloud), aren’t up to cloud pace. They’re not natively automated to discover apps, deploy defenses, and enforce policy.
In the cloud world, anything that can’t keep pace with cloud deployment gets routed around by developers on behalf of the business. In other words: we need defenses inside and outside the app, and those defenses must be automated.