Cloud Native DevSecOps with Kubernetes: Securing Modern Applications in the Cloud

It’s hard to believe that Kubernetes was born only five years ago. The application management technology that’s become so core to modern cloud native development and testing started in a low-key way, with a one paragraph mention on a Google Cloud blog and a simple open source commit in June 2014.

The rise of the world’s most popular container orchestrator has gone hand in hand with cloud-native development. Together, these technological approaches have unlocked a software development path that has enabled enterprises to build faster, more agile software with increased resiliency and easy scalability. It’s no wonder that cloud-native development, enabled by the likes of Docker and Kubernetes, has become the software development gold standard for the world’s most successful digital giants.

DevOps for Speed, Scale and Security

Cloud native DevOps isn’t just for the digital natives out there. To remain competitive, organizations need to move at the speed digital enables, whether they started out cloud native or they are incumbents looking to migrate to that model. Concerns over security, privacy and compliance often hold back organizations from making the move to fully cloud native initiatives. The tools designed to provide visibility and protection from security threats in a traditional or even VM-based cloud environment don’t work in the same way in a cloud native environment made up of containers and microservices loosely coupled together. Automation, for instance, plays a pivotal role.

Organizations working with Kubernetes and more generally cloud native DevOps, need to embrace the approach known as DevSecOps. I could of course reel off a ten-point list of do’s and don’ts for securing cloud-native apps. However, the real difference with cloud native DevOps is that application security starts long before the application goes into production. For help with specific Kubernetes challenges, there are some great resources out there designed to ease stack set-up or activating more advanced protocols, including the Kubernetes organization itself.

Strategic AND Granular: Security as Code

Apexon helps organizations address the bigger business goals around privacy, security and compliance. If the aim is to avoid software failure that could cost your organization millions, leave your customers vulnerable, generate headlines for all the wrong reasons and damage reputation, then your organization needs to adopt a comprehensive, structured approach focused on proactively identifying vulnerabilities during the development of the application and providing solutions to circumvent them.

Testing is core to identifying and dealing with issues, but the process starts much earlier and….well, it doesn’t really end. Detailed reporting of test results should make up part of the ongoing feedback loop which, aided by advanced analytics, predicts and prevents issues before they reach the hands of customers or hackers. Securing modern applications in the cloud requires security to be woven into the fabric of the software development lifecycle.

That’s why Apexon has developed its own 10-stage approach to security planning, testing and execution, refined through our 14+ years in digital development and testing to provide comprehensive security testing for applications from concept into production.

1. Security Architecture Deep Dive – understand business requirements, security goals and compliance objectives.
2. Architecture Analysis – understand and analyze the requirements of the application under testing.
3. Classify Security Testing – collect all system set-up information used for development of software and networks, e.g. OS, technology, hardware
4. Threat Modelling – next, it’s time to prepare the threat profile.
5. Test Planning – use insights gathered from identified threats, vulnerabilities and security risks.
6. Traceability Matrix – create this for each threat, vulnerability and risk.
7. Security Testing Tool Identification – execute faster and more reliably with the right automation tools in a cloud native environment.
8. Test Case Prep – a security test case document is your foundation for the next couple of stages of execution and reporting.
9. Test Case Execution – the most obvious part of the process when people talk about security testing in the cloud, this is where we perform security tests, retest bug fixes and execute regression test cases.
10. Reporting – monitor and predict vulnerabilities with detailed reporting on threats, contained risks, and open issues.

What’s your organization’s current level of cloud adoption? Are there any challenges holding your team back from fully adopting cloud native development? We’d love to hear from you and address your issues. Fill in the form below today.