An agile approach to application security with Microsoft Defender

The development dilemma

PaaS has become a popular cloud alternative for the convenience it can offer, especially to development teams. They can design, develop, build and test apps and updates directly in the cloud, using software the CSP provides. Increasingly, these platforms can push out updates, so users don’t have to. But moving to PaaS comes with a caveat. Developing your apps on a cloud platform can make your developers primarily responsible for securing your apps. Are they ready for this responsibility?

Developers, after all, thrive in a fast-paced work environment, driven by the need for speed and agility. Security may take a back seat until the design process is underway, or even later. Then, they may tack security onto the finished app using APIs or code from libraries or containers, which they can obtain from security staff.

The consequences of not “shifting left” on security — not accounting for it in the earliest planning stages and weaving it into the design — could be serious, as some recent high-profile breaches show.

Still, developers trained in agile processes can take an agile approach to application security, in tandem with security teams grounded in a cyber-risk-based approach and equipped with automated tools.

When vulnerabilities creep in, cybercriminals can follow

Cybercriminals are attacking enterprise apps with gusto. Web application breaches made up more than 60 percent of security incidents in 2022, according to one study.

Though designed to serve consumers and increase business revenues, apps also increase the risk of security incidents. In the Apache Log4j breach of late 2021, hackers exploited misconfigured code to infiltrate and gain remote control of Log4j users’ systems. The mistake reportedly put hundreds of millions of computing devices at risk.

In addition to coding errors, we also see deficiencies in enterprise workload protection, including identity and access management. It’s quite common for developers to have more access privileges than they need. So-called superusers can literally go almost anywhere and do almost anything in the system, increasing the chance of misuse and even abuse.

Someone could mistakenly or even intentionally approve a financial transaction that shouldn’t be authorized, at great cost to the business, or they could release customer personal data. And if bad actors were to get hold of a superuser’s login credentials (via a phishing email, for example), they might get carte blanche access to your systems, networks and data.

Then there are the software-as-a-service (SaaS) apps your organization uses, produced by others. The Cloud Security Alliance (CSA) reports that, on average, businesses have about a hundred applications in their technology stack. Some have many more. At least one enterprise reported using more than 5,000 applications.

And if there are security flaws in those applications? They could be treacherous to your enterprise. The SolarWinds hack, in which attackers inserted malicious code into software updates that gave them access to 100 companies and several government agencies, succeeded in part because update recipients trusted that those updates did not have bad code.

More than half of respondents to the CSA survey said they check their third-party applications for coding errors and misconfigurations only once a month or less. Five percent said they never check. And when they find misconfigurations? About a quarter take a week or more to remedy them, often giving cybercriminals more time to exploit the vulnerability.

Modern app security: A two-pronged approach

There’s no such thing as perfect security. Trying to achieve it, you’re more likely to restrict your applications’ usefulness. And the money you’d spend would almost certainly exceed your return. But you can take application security actions that can work well in today’s fast-paced, speed-driven, cloud-based, ever-changing digital environment, be it IaaS, PaaS or SaaS.

We recommend an overlapping approach rooted in risk management and then automated by technologies.

1. Know and manage your application security risks.

Do you know which applications your business uses? Do you know what open source software (OSS) is used in your applications? What about unauthorized, “jailbreak” apps on your enterprise devices? Assessing the risk that each poses can help you to focus your energies on monitoring and securing more critical in terms of likelihood and impact of breach.

Also, how sensitive is the data your third-party applications contain? Unlike with your company-generated applications, you don’t have access to these applications' underlying database, so you will need to place your own controls on access and actions you’ll allow. Could someone take a screenshot and send it outside the company?

And what does your CSP offer in terms of security? The shared responsibility model — cloud providers can help secure the infrastructure but users should protect the data they place there — is widely understood by now, but different CSPs offer different security options. Knowing what’s available to you there can help you know where you need to supplement.

Knowing who has superuser and other high-level access to your applications, whether they need that access, and for how long they need that access can also be essential to strong application security. How are you monitoring their activities for anomalies or risky moves? What kinds of identity and access management controls do you have in place, and where should you strengthen them?

2. Select tools can help you measure, maintain and monitor.

Clouds change, but so do technologies. For application security in the cloud, cloud-native application protection platforms (CNAPP) are gaining traction for their risk-to-response and multi-cloud-management abilities.

To help properly secure your applications in the cloud, be it IaaS, PaaS, SaaS or a hybrid environment, you’ll likely need to not only amend your processes — by switching, for instance, from a DevOps model to DevSecOps, in which security can be an integral part of every project — but also reconsider your architecture.

In the past, your teams might have checked your IaaS buckets to identify if they were properly configured, or they might have relied on traditional agents to help monitor your workloads. But these approaches don’t work with cloud-native apps in the PaaS cloud.

With cloud-native, you can work to identify that your application’s database isn’t publicly available, and that it has in place proper identity, logging and monitoring controls so you can protect your workloads.

Streamlining security with PwC and Microsoft

Microsoft Defender for Cloud, a CNAPP solution, can help you prioritize your risks, check for misconfigurations and remediate problems quicker. Defender uses data can help provide context and help you anticipate your threats. It also can automatically check for misconfigurations and controls, and help you prevent, detect and respond to threats.

Working with Microsoft, PwC has developed a security control framework that can help your developers and security teams work together more smoothly so you can secure your enterprise applications.

Traditionally, we’ve offered this framework for use with IaaS-based applications, but we’re expanding the service for use with PaaS-hosted, cloud-native apps. We can help guide you as to which Microsoft Azure services you may wish to use and which security controls can help you enable at the platform level.

For many of the platform services that you use, Microsoft can help provide a process or solution for visibility into identities and roles, accesses and permission “drift,” or individuals accumulating permissions that they no longer need.

We can also help your security teams create security-as-code or policy-as-code templates for your development teams to use as they stand up a PaaS project within Microsoft Azure. That way, developers can work at their usual fast pace, confident that their work is protected, and Defender can help monitor for suspicious activity or misconfigurations, allowing you to take timely remediation actions and helping reduce the risk of vulnerability exploitation.

The bottom line

Securing applications often requires a shift in mindset, in tooling and in ways of working. Developers trained in agile processes should take an agile approach to application security. Developers can work hand in hand with security teams, grounded in a cyber-risk-based approach and equipped with automated, modern, highly effective tools.

As some recent high-profile breaches show, not “shifting left” on security — not accounting for it in the earliest planning stages and weaving it into the design of applications — can lead to serious consequences.