The pace of modern business is driving a wedge between the way applications are developed and how they are protected. By harnessing modern infrastructure and applications, companies can better compete and adapt faster, but they could also be jeopardising security.
Today, 98% of organisations depend on applications to run or support their business. According to our most recent survey of the NGINX open-source community, the number of those apps built with microservices has grown from 40% in 2019 to 60% in 2020, with 54% of businesses using microservices in some or all of their apps.
By 2022, it is expected that 90% of all new apps will feature microservices architecture. These trends not only highlight the importance of modern applications to businesses, but the value of achieving speed and agility when it comes to their deployment.
Increasing number of organisations are likely moving the same way, migrating from the monolithic apps of old to cloud-native technologies while also implementing DevOps principles, and with good reason.
Customers, partners and employees don’t just demand more from your technology-driven services; they expect it. Markets don’t wait for companies to adapt; they simply forget about them.
“Markets don’t wait for companies to adapt; they simply forget about them.”
This is why businesses are being forced to take action, ensuring their applications offer the best possible experience. But delivering these experiences requires a different approach to application development: a faster, more iterative approach that provides the flexibility businesses need to remain competitive.
DevOps, microservices and containers can all help to deliver this much sought-after application agility, overhauling old-fashioned approaches in favour of modern delivery methods. But what about other key considerations like protecting those apps and if security policies can handle the pace.
Hackers launch an average of 2,244 attacks per day. That is one every 39 seconds. And a single successful malicious act is all that is required to wreak financial and reputational havoc on a business or even destroy it entirely.
It might sound drastic, but these are the odds organisations face today. However, despite the average cost of a data breach in 2020 weighing in at $3.86 Million per company, on average, only 5% of the apps in an organisation’s portfolio are properly protected.
Even more worrying is how much more sophisticated and wide-ranging the attacks are. Hackers no longer only target code. With 40% of attacks on web applications coming through APIs and that number expected to grow to 90% in 2021, higher walls simply don’t provide the required protection in modern environments.
“Old fashioned thinking has no place in a modern application development environment, and all parties should embrace the idea of securing apps.”
Couple this increased threat level with faster and more frequent release cycles where security flaws can easily slip through the net, and it can quickly become a recipe for disaster.
No organisation wants to restrict agility or limit innovation. Likewise, companies are not willing to put their data or that of their customers at risk. However, as the demands of modern business increase and modern application development is required to maintain a competitive edge, businesses are being forced to choose between the two. Either you go to market fast and are potentially exposed, or you operate slowly and securely. It should not be this way.
Where once security policies were applied during the final stages of a release, the speed of deployments today makes it almost impossible. Given that there are an estimated 500 software developers for every security professional, the odds are not stacked in favour of app protection.
So, the ability to provide robust, consistent security across application architectures and infrastructure is hampered, with blame falling at no particular door. Business leaders understand the importance of security but also the need to get their apps to market fast.
DevOps teams resent the slowing of deployment by SecOps and SecOps laments the lack of security controls DevOps provides. In fact, 48% of technical professionals see security as the major blocker to delivering software quickly.
It is clear that, for businesses to drive innovation and remain agile, the effectiveness of DevOps automation and its build once, run anywhere simplicity is crucial. So, what if a build once, adhere anywhere approach could be applied to security policies?
For an agile and secure way forward, businesses must find a way to integrate security into the lifecycle of an application, not apply it at the end of development or attempt to fix it with add-ons. Security and app development must not simply co-exist but become one.
The first change required is mindset. Old fashioned thinking has no place in a modern application development environment, and all parties should embrace the idea of securing apps, not see it as a hurdle to be overcome. All teams should be pulling in the same direction, working toward the common goal of safe, high-quality applications delivered at speed.
“Business leaders understand the importance of security but also the need to get their apps to market fast.”
Integrated security needs to become a standard part of the development process, and the speed required for it to do so can be delivered in a number of ways, key among them being policy automation.
What is also required is a lightweight security solution that overcomes the limitations of checkbox web application firewalls. It must address the real security challenges facing modern DevOps environments by delivering high-performance, scalable security with consistent controls for web applications, microservices, containers and APIs.
It should trigger fewer false positives and, crucially, it must be faster than other solutions. Such a solution should be CI or CD-friendly, centrally managing and automating approved security controls to remove workflow bottlenecks and support shift left Dev initiatives. It should be supported by an experienced organisation and improve visibility while optimising performance.
If the above can be achieved, the friction between DevOps and SecOps is removed, and the fight between rapid deployment and security becomes a forgotten issue.
With the right tools and a more collaborative development culture delivering powerful, consistent protection that matches the pace of modern app development, businesses can achieve true peace of mind and deliver amazing experiences at speed.
Dor Zakai of NGINX writes about speed vs security in protecting modern apps and APIs at the pace of modern business.