Security News > 2022 > February > Take a dev-centric approach to cloud-native AppSec testing

Take a dev-centric approach to cloud-native AppSec testing
2022-02-28 05:45

"We are no longer dealing with just vulnerabilities, but also with vulnerable flows between microservices. On top of that, as cloud-native applications are built on multiple infrastructure layers - the container, the cluster, and the cloud - they way these layers are configured affects what a hacker can do with these vulnerabilities," notes Ron Vider, one of the co-founders and the CTO of Oxeye.

"Old-school" software composition analysis and static, dynamic, and interactive application security testing tools are run independently, are not synchronized with one another, and are unable to cross-reference and use enriched data from other code layers in the environment.

"First it analyzes the infrastructure to understand how the application is configured, and it does that by communicating with the with the Docker API, the containerd API, the Kubernetes API and the cloud provider API, and fetching the relevant configuration. Then, it detects potential vulnerabilities in the code. Next, it analyzes the communication between the different components and traces their flow. Finally, it validates the found vulnerabilities by sending payloads to the application and analyzing its behavior, to understand whether it's exploitable or not."

A good and effective application security testing tool should perform automated and comprehensive analysis and should be helpful to all practitioners responsible for application security in the organization: the developers, the AppSec and the DevOps teams.

Oxeye allows AppSec teams to find vulnerabilities long before they make it to production, and clear remediation guidance is what allows developers to prioritize security for cloud-native applications.

"Developers know how to write code, but they are not necessarily knowledgeable when it comes to security. Application security experts know security, but not necessarily how to write code. Oxeye's advanced testing technology streamlines cloud-native security processes, thereby assisting once-isolated teams in their collaboration effort and proving them with a common space where they can communicate in a common language about security issues that need to be fixed," Vider concluded.


News URL

https://www.helpnetsecurity.com/2022/02/28/cloud-native-appsec-testing/