DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations
The Latest "Software Integration: The Intersection of APIs, Microservices, and Cloud-Based Systems" Trend Report
Get the report
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. The Multifaceted Value of the Cloud

The Multifaceted Value of the Cloud

DZone's Tom Smith talked with Contrast Security co-founder and CTO Jeff Williams about how some companies use the cloud, what it offers, and how it could, and should change.

Tom Smith user avatar by
Tom Smith
CORE ·
Nov. 25, 16 · Interview
Like (2)
Save
Tweet
Share
4.22K Views

Join the DZone community and get the full member experience.

Join For Free

I had a chance to chat with Jeff Williams, co-founder and CTO of Contrast Security. We talked about how Contrast uses the cloud, touching on concepts from app development and deployment to how it fits into DevOps to security. Take a look at what we talked about, how the cloud is impacting companies, and what the future might hold.

How does your company use the cloud to develop and deploy applications and solutions?

Jeff Williams: Contrast uses the cloud to both develop and deploy our SAAS application security solution. We are a DevOps organization and release code daily. We have a multi-tenant SAAS environment running in AWS that serves as the backend for our agents that continuously assess and protect web applications, APIs, and other software for our customers. Beyond our product environment, we maintain many other AWS environments for development, staging, performance testing, and more. We put a lot of work into securing our various environments, and rely on many AWS services for encryption, authentication, and more. 

What software do you use most often to developing in, and deploying to, the cloud?

Jeff Williams: We use a variety of tools and processes to build and deploy software to the cloud. Our development teams use Java, .NET, Node.js, Ruby, and Python environments. We use Maven and Jenkins to build software, and Git to manage our source code repositories. We manage our development work with JIRA and other tools. For deployment, we use Ansible for deployment and Lambda for certain jobs.

What do you see as the most important elements of cloud-based development and deployment?

Jeff Williams: For me, the big advantages are speed and agility. Use of the cloud helps to enable our DevOps process. We can quickly and easily build, test, and push new environments to production with bug fixes and new features. This makes our customers happy and keeps our engineering teams focused on important features.

What problems are being solved with cloud-based development and delivery?

Jeff Williams: Cloud-based development and delivery is a key enabling technology, but the real key to faster and more reliable software deployment is a DevOps process that ensures testing and security are continuously performed. This helps to ensure that software doesn’t get far off the rails before it gets corrected. In the old days, software would go for months or years before problems would get identified. For us, the ability to scale elastically allows us to handle security for many thousands of applications concurrently.

How has development and delivery in the cloud evolved?

Jeff Williams: Development and delivery in the cloud continue to accelerate with better tools and more advanced services. The long-term outcome is that developers are able to focus exclusively on their business logic, and won’t have to worry about all the other aspects of software development that can slow down the process. 

What are the obstacles to the success developing or deploying in the cloud? 

Jeff Williams: The biggest obstacle is security. The threat facing cloud-based development and deployment is significant. When an application moves to the cloud, there are two major changes. First, the entire foundation and all the security assumptions about the environment are completely changed. This isn’t just about technology, the people, processes, and even the legal framework for operating the application change. Second, all the connections made by the application are now exposed in new ways. The application that once previously connected from a trusted network to internal systems must now connect over public networks and may lack a trusted way to store credentials. Essentially, the developers made a certain set of assumptions about the environment when they designed and built the application, and when they change, it is extremely likely to result in both security improvements and security vulnerability. Certainly, not all private datacenters are well run, and many cloud providers offer excellent security services, so the net change may be positive, but you will certainly want to carefully think through the new threat model.

Do you have any concerns regarding the development or deployment to the cloud?

Jeff Williams: My biggest concern is that many organizations are deploying applications “naked and afraid.” We know most organizations can’t reliably produce code without vulnerabilities. And our operational defenses have been extremely spotty in the past. I believe the future of application security in cloud environments is “self-protecting software” that can identify its own vulnerabilities and protect itself against attacks. This approach works so well for cloud applications, because no matter where applications are deployed, no matter how they scale, the protection is part of the application itself. SPS is available now and being used by hundreds of the largest companies in the world.

What’s the future for development and deployment to the cloud?

Jeff Williams: When Marc Andreessen wrote, “software is eating the world,” he meant that every business is literally turning into software. Cloud is a key part of that story. I’m seeing even the most conservative enterprises dismantling their datacenters and moving their infrastructure to the cloud. From a security perspective, I think cloud environments will evolve to provide security assessment and protection capabilities automatically, without any changes required to the way software is developed, tested, or deployed. This is already happening with IAST and RASP technologies in many large organizations.

What do developers need to keep in mind when developing and deploying to the cloud?

Jeff Williams: Developers should keep in mind as their cloud-based software development and deployment process accelerates, the opportunity for devastating vulnerabilities also increases. They should be sure that they are doing security assessments continuously during the software development process. Teams may want to look at modern IAST tools that can provide continuous analysis. To protect against attacks, development teams should also consider integrating a RASP component into their architecture. These tools enable web applications and APIs to protect themselves against attacks, even when that code is hosted in the cloud.

What would you like to know from developers regarding how they are developing for, and deploying to, the cloud?

Jeff Williams: I would love to ask developers to dream about their ideal solution for securing cloud applications. Will they tolerate extra steps? When would they like security feedback? How would they like that feedback delivered? Do they want accountability for their code? What would make them feel confident in their deployment? How do they know their security is actually working?

What have I failed to ask you that you think we need to consider with regards to developing and deploying to the cloud?

Jeff Williams: How do you protect your source code and other intellectual property when doing development in the cloud? Most organizations don’t think enough about the security of the code itself. If an attacker can gain access to the source (or binary) code they are much more likely to be able to find vulnerabilities. And if they can Trojan that code, their malicious logic can make its way into production and seriously damage the enterprise. Previously, when all development machines were internal, much of this risk was mitigated with traditional network and host security controls. But when the development pipeline moves to the cloud, it can be difficult to understand all the pieces and exactly what is exposed. Organizations should treat their development pipeline like other infrastructure and their code as a critically sensitive asset, from both a confidentiality and integrity perspective. It’s an interesting but often overlooked threat model.

Cloud Application security Software development

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Create Spider Chart With ReactJS
  • Top 5 Data Streaming Trends for 2023
  • Microservices Testing
  • 11 Observability Tools You Should Know

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: