I had a chance to chat with Jeff Williams, co-founder and CTO of Contrast Security. We talked about how Contrast uses the cloud, touching on concepts from app development and deployment to how it fits into DevOps to security. Take a look at what we talked about, how the cloud is impacting companies, and what the future might hold.
How does your company use the cloud to develop and deploy applications and solutions?
Jeff Williams: Contrast uses the cloud to both develop and deploy our SAAS application security solution. We are a DevOps organization and release code daily. We have a multi-tenant SAAS environment running in AWS that serves as the backend for our agents that continuously assess and protect web applications, APIs, and other software for our customers. Beyond our product environment, we maintain many other AWS environments for development, staging, performance testing, and more. We put a lot of work into securing our various environments, and rely on many AWS services for encryption, authentication, and more.
What software do you use most often to developing in, and deploying to, the cloud?
Jeff Williams: We use a variety of tools and processes to build and deploy software to the cloud. Our development teams use Java, .NET, Node.js, Ruby, and Python environments. We use Maven and Jenkins to build software, and Git to manage our source code repositories. We manage our development work with JIRA and other tools. For deployment, we use Ansible for deployment and Lambda for certain jobs.
What do you see as the most important elements of cloud-based development and deployment?
Jeff Williams: For me, the big advantages are speed and agility. Use of the cloud helps to enable our DevOps process. We can quickly and easily build, test, and push new environments to production with bug fixes and new features. This makes our customers happy and keeps our engineering teams focused on important features.
What problems are being solved with cloud-based development and delivery?
Jeff Williams: Cloud-based development and delivery is a key enabling technology, but the real key to faster and more reliable software deployment is a DevOps process that ensures testing and security are continuously performed. This helps to ensure that software doesn’t get far off the rails before it gets corrected. In the old days, software would go for months or years before problems would get identified. For us, the ability to scale elastically allows us to handle security for many thousands of applications concurrently.
How has development and delivery in the cloud evolved?
Jeff Williams: Development and delivery in the cloud continue to accelerate with better tools and more advanced services. The long-term outcome is that developers are able to focus exclusively on their business logic, and won’t have to worry about all the other aspects of software development that can slow down the process.
What are the obstacles to the success developing or deploying in the cloud?
Jeff Williams: The biggest obstacle is security. The threat facing cloud-based development and deployment is significant. When an application moves to the cloud, there are two major changes. First, the entire foundation and all the security assumptions about the environment are completely changed. This isn’t just about technology, the people, processes, and even the legal framework for operating the application change. Second, all the connections made by the application are now exposed in new ways. The application that once previously connected from a trusted network to internal systems must now connect over public networks and may lack a trusted way to store credentials. Essentially, the developers made a certain set of assumptions about the environment when they designed and built the application, and when they change, it is extremely likely to result in both security improvements and security vulnerability. Certainly, not all private datacenters are well run, and many cloud providers offer excellent security services, so the net change may be positive, but you will certainly want to carefully think through the new threat model.
Do you have any concerns regarding the development or deployment to the cloud?
Jeff Williams: My biggest concern is that many organizations are deploying applications “naked and afraid.” We know most organizations can’t reliably produce code without vulnerabilities. And our operational defenses have been extremely spotty in the past. I believe the future of application security in cloud environments is “self-protecting software” that can identify its own vulnerabilities and protect itself against attacks. This approach works so well for cloud applications, because no matter where applications are deployed, no matter how they scale, the protection is part of the application itself. SPS is available now and being used by hundreds of the largest companies in the world.
What’s the future for development and deployment to the cloud?
Jeff Williams: When Marc Andreessen wrote, “software is eating the world,” he meant that every business is literally turning into software. Cloud is a key part of that story. I’m seeing even the most conservative enterprises dismantling their datacenters and moving their infrastructure to the cloud. From a security perspective, I think cloud environments will evolve to provide security assessment and protection capabilities automatically, without any changes required to the way software is developed, tested, or deployed. This is already happening with IAST and RASP technologies in many large organizations.
What do developers need to keep in mind when developing and deploying to the cloud?
Jeff Williams: Developers should keep in mind as their cloud-based software development and deployment process accelerates, the opportunity for devastating vulnerabilities also increases. They should be sure that they are doing security assessments continuously during the software development process. Teams may want to look at modern IAST tools that can provide continuous analysis. To protect against attacks, development teams should also consider integrating a RASP component into their architecture. These tools enable web applications and APIs to protect themselves against attacks, even when that code is hosted in the cloud.
What would you like to know from developers regarding how they are developing for, and deploying to, the cloud?
Jeff Williams: I would love to ask developers to dream about their ideal solution for securing cloud applications. Will they tolerate extra steps? When would they like security feedback? How would they like that feedback delivered? Do they want accountability for their code? What would make them feel confident in their deployment? How do they know their security is actually working?
What have I failed to ask you that you think we need to consider with regards to developing and deploying to the cloud?
Jeff Williams: How do you protect your source code and other intellectual property when doing development in the cloud? Most organizations don’t think enough about the security of the code itself. If an attacker can gain access to the source (or binary) code they are much more likely to be able to find vulnerabilities. And if they can Trojan that code, their malicious logic can make its way into production and seriously damage the enterprise. Previously, when all development machines were internal, much of this risk was mitigated with traditional network and host security controls. But when the development pipeline moves to the cloud, it can be difficult to understand all the pieces and exactly what is exposed. Organizations should treat their development pipeline like other infrastructure and their code as a critically sensitive asset, from both a confidentiality and integrity perspective. It’s an interesting but often overlooked threat model.