Connect with us

Hi, what are you looking for?


Application Security

From Monolithic to Modular: Agile App Security in the DevOps Era

As organizations move to the cloud, one of the biggest changes we’ve seen is in the nature of the application landscape. This is the age of apps. Large companies are dealing with hundreds if not thousands of them, and nearly every enterprise is engaged in software development of some kind. 

As organizations move to the cloud, one of the biggest changes we’ve seen is in the nature of the application landscape. This is the age of apps. Large companies are dealing with hundreds if not thousands of them, and nearly every enterprise is engaged in software development of some kind. 

Drop a package off at the post office, and you have apps powering the scanner and scale, calculating postage, connecting with the tracking system and dozens of other things you don’t even see. Apps are facilitating your package’s journey every step of the way.  

These aren’t just behemoth applications like an end-to-end CRM system. Most are smaller, lightweight widgets that carry out a specialized function — and most reside in the cloud or on the web. 

When it comes to securing the application layer, this shift in landscape changes everything. 

In the days when all applications ran in an internal datacenter, security strategy revolved around the company’s firewall, a huge monolithic security device that could handle every threat scenario and permutation. 

Today an organization may have thousands of apps on the internet, but having thousands of monolithic security devices just isn’t practical — and in fact, it’s counterproductive because all those methodologies would be competing in their attempts to mitigate the risk. 

To be efficient in this new model, you can’t have security taking up the compute resources and physical footprint it previously did. All of those bells and whistles are no longer needed. 

Advertisement. Scroll to continue reading.

Instead, the current challenge is to really focus on risk. The strategy must correlate appropriate security measures with what’s actually being deployed, and be much more surgical about the level of security services behind each app. 

This is why we’re seeing the industry evolve from monolithic security to modular security.

Getting there requires a shift in how the security operations role works with DevOps. Under this paradigm, security architects create a template to apply appropriate security levels based on the risk involved with the app and the environment it’s being deployed in. More and more, we’re seeing these templates take the form of a catalog, where developers can select the appropriate template and apply it to the app via a wizard. 

In this way, DevOps can execute the organization’s security measures without being an expert in security. All the developer must know is the level of business impact involved with the app she’s working on and which environment it will operate within. The template applies the appropriate security policies based on the business impact of the data behind the app, and the WAF or other measures are deployed in a matter of seconds with a few clicks. 

Behind the scenes, security operations can change the template if the risk changes and orchestrate its distribution out to all the new apps. But the primary person pushing it is actually the developer in daily and hourly sprints. 

Including security within the software development lifecycle in this way — not as a separate policy process but as a natural part of app deployment — allows the security organization to keep up with the fast-paced DevOps engine. Where before the security process slowed everything down, now it can be lightweight and keep up with the explosion of apps we’re seeing today. 

This approach marries the knowledge of the security pro with that of the developer to create a greatly improved security scenario in which both can leverage their expertise. 

Ultimately this shift is all about bringing app security in to the modern era, where we can be much more surgical in tying security measures to the specific risk involved with each app. Traditionally, we’ve been focused on deploying a monolithic system to cover every possible vulnerability. There’s never been time to understand each risk because the attack surface was so massive. But today we can finally have the highly targeted, modular security the industry has always needed. 

With templates and agile application security working closely with DevOps, the security team can be much more systematic in understanding the risk that accompanies each app in each environment. And they can achieve economies of scale by using the software development process to deploy security measures. 

As this “SecOps” model continues to evolve, security operations will be virtually infused into the DevOps process, giving everyone better security overall.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.