Three key approaches to safeguarding modern application security

More than a decade ago, Marc Andreeson famously declared that “software is eating the world.” 

The Silicon Valley venture capitalistโ€™s comments came as he looked back at the creative disruption caused by the 1990s dot-com bubble and the โ€œdozen or so new Internet companies like Facebook and Twitter sparking controversy in Silicon Valley.โ€

But he also observed in 2011 that an increasing number of major businesses and industries were being run on software and delivered as online services โ€” in effect, โ€œoverturning established industry structures.โ€

โ€œOver the next ten years, I expect many more industries to be disrupted by software, with new world-beating Silicon Valley companies doing the disruption in more cases than not,โ€ he wrote.

Fast forward to today, and Andreesonโ€™s comments still ring true. But in an interesting update, McKinsey has suggested that the slogan โ€” โ€software is eating the worldโ€ โ€” should be reworded to โ€œsoftware is the world.โ€

The linguistic tweak leaned on findings from McKinseyโ€™s research, which showed that almost seven in ten top economic performers used their own software to differentiate themselves from their competitors.

Of course, the software being discussed is far from the monolithic, all-in-one solutions hosted on-premises. Instead, todayโ€™s forward-thinking organisations prefer flexible, user-friendly applications that are scalable and can be rolled out at speed. 

Itโ€™s an approach followed almost universally today since it removes many obstacles to digital transformation that might otherwise prevent employees from being more innovative, efficient, and productive.

But it has its problems. 

The challenges of securing modern applications

Today, applications tend to be based on multiple microservices loosely coupled together to create a more modern architectural and organisational approach to software engineering. Typically, these are decentralised across multiple platforms.

Itโ€™s a tactic favoured because it enables businesses and organisations to deliver large, complex applications quickly. The snag is that this way of working can make it difficult for users to visualise and understand the entire application. 

Worse, it can lead to increased security exposure. Unless properly insulated and protected, cyber criminals or hackers may be able to gain access to the entire application via a single insecure microservice. And if these security incidents canโ€™t be seen, it would be almost impossible to identify the threat โ€”ย let alone respond to and even prevent them.

Then there are the challenges brought by open-source. In nearly every modern application, open-source code can be a valuable resource for developers. However, researchers at application security company Synopsys found at least one vulnerability in 84% of commercial code bases.ย 

And one vulnerability is all that an attacker needs to do untold damage.

The good news is that while modern applications’ security challenges are real, they are not insurmountable. Instead of returning to monolithic legacy software, organisations can embrace modern application development while ensuring security by taking three steps:

1) Increase visibility into complex IT environments through observability

It doesnโ€™t matter whether itโ€™s a fault in a car engine, a laptop, or a toaster โ€” you cannot fix a fault until you can identify the problem. Thatโ€™s why observability is such an important tool. 

Observability solutions provide real-time visibility across an entire IT estate, which is essential for the secure development of modern applications. Having a clear view of an entire infrastructure enables IT teams to quickly identify and resolve security issues before they develop into significant problems. 

2) Build in security with a โ€˜shift leftโ€™ approach to testing

Thereโ€™s a general rule of thumb that you canโ€™t really test anything until itโ€™s been built or created. Want to see if a kite will fly? Build it, wait for the wind to blow, and then give it a whirl. If it fails to take off โ€” or comes crashing to the ground โ€” itโ€™s probably worth returning to the drawing board. 

Itโ€™s an approach to testing that is almost universal โ€” and that includes software.

But what if that testing could occur earlier to identify issues even before they arise? What if you could identify security issues during โ€” not after โ€” the build phase? In effect, thatโ€™s the principle behind โ€˜shift left.โ€™  

Traditionally, security checks occur in the โ€˜testing phaseโ€™ after the software has been written and pulled together. However, what if an issue has already been programmed into a device early in its development? If thatโ€™s the case, the DevOps team will have to work retroactively and unpick work already done. This can slow down the process and inhibit a thorough application review.

Implementing the โ€˜shift leftโ€™ approach improves the development process by embedding security measures sooner. This enables DevOps teams to identify vulnerabilities during development โ€” rather than after the project is completed.

In this way, DevOps teams can streamline this process by having security at the forefront of their development process, enabling them to deliver safer and more reliable products.

3) Be transparent by utilising a software bill of materials

Now, more than ever, the technology industry needs to be transparent โ€” especially since cyberattacks are becoming more sophisticated and instigated increasingly by rogue nations. 

Thatโ€™s why a Software Bill of Materials (SBOM) is so important. Itโ€™s a structured list of all the components and dependencies that comprise a piece of software. It serves as a comprehensive inventory of the various software elements used in an application, including open-source libraries, third-party components, frameworks, modules, and other software assets. Each component in the SBOM provides a clear view into the software supply chain, helping developers identify and address vulnerabilities.

For example, if a new vulnerability were to be discovered in an open-source library, an SBOM helps to pinpoint the affected applications and prompt the appropriate teams to take action. Knowing what materials are going into development also helps predict the final productโ€™s functionality, as process developers can identify points of concern from the start.

The trend for modern software applications is something that should be embraced since it brings a host of benefits. And it goes without saying that itโ€™s a vast improvement on the on-prem, monolithic, all-in-one solutions of the past.

However, the quest for function-rich, easy-to-use systems should not be sought at the expense of ensuring security is built into applications. Any vulnerabilities introduced at any stage increase the risk of a security breach. 

However, by using observability tools, by โ€˜shifting leftโ€™ and testing much earlier in the software development process, and adhering to best practises such as SBOM, organisations can find a balance between embracing new technology โ€” and profiting from its benefits โ€” while also ensuring that all-important element of security.

Image of Sascha Giese headshot
+ posts

Sascha Giese is a Tech Evangelistย at SolarWinds, based in the companyโ€™s Europe, Middle East, and Africa (EMEA) headquarters in Cork, Ireland. He holds various technical certifications, including being a Ciscoยฎย Certified Network Associate (CCNAยฎ), Cisco Certified Design Associate (CCDA), Microsoftยฎย Certified Solutions Associate (MCSA), VMwareยฎย Technical Sales Professional (VTSP), AWSยฎย Certified Cloud Practitioner, and Network Performance Monitor and Server & Application Monitor SolarWinds Certified Professionalยฎย (SCP). Giese has more than 10 years of technical IT experience, four of which have been as a senior pre-sales engineer at SolarWinds. As a senior pre-sales engineer, he was responsible for product training SolarWinds channel partners and customers, regularly participated in the annual SolarWinds Partner Summit EMEA, and contributed in the companyโ€™s professional certification program, SolarWinds Certified Professional.

Unlocking Cloud Secrets and How to Stay Ahead in Tech with James Moore

Newsletter

Related articles

Investment Opportunities for Startups and Technologies in AIย 

Although artificial intelligence developed from niche technology has become...

Four Surprising Lessons I’ve Learned Leading Tech Teams

Techies. Geeks. Boffins. Whatever your organisation calls its IT...

A Business Continuity Cheat Sheet

Right, let's be honest. When you hear "business continuity,"...

Challenges of Cloud & Ultima’s Solution to Transform Business

With the way that AWS and Microsoft dominate technology...

Data privacy concerns linger around LLMs training

We have all witnessed the accelerated capabilities of Large...