Sign in Subscribe

Session 3: Evolution & SAST

Last updated on 

This TLDR document outlines application deployment evolution from monolithic systems to serverless, highlighting the shift in security practices. Initially focused on perimeter defense, security evolved to include VM, container, and API protection. Now, in cloud-native environments, it emphasizes IAM, automation, and AI-driven threat detection, reflecting the DevSecOps integration.

1. Monolithic Applications (Traditional Approach) - Kfrost

  • Architecture: Single-tiered, tightly integrated applications where all components (UI, business logic, and database) are bundled together.
  • Deployment:
    • Hosted on bare-metal servers or on-premises data centers.
    • Manual deployment and updates (copying binaries or executing scripts on the server).
    • Requires downtime for updates.
  • Challenges:
    • Hard to scale (scaling means replicating the entire application).
    • Difficult to maintain and update (small changes require redeploying the entire system). - Slow response to security vulnerabilities due to manual patching.
    • Slower development cycles due to tightly coupled components. - Limited scalability of security measures.
    • Single point of failure—breach in one part of the application can expose the entire system.
  • Security Controls:
    • Perimeter Security: Firewalls (e.g., Cisco ASA, Palo Alto Networks), Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) to protect against external threats.
    • Access Control: Role-Based Access Control (RBAC) and strict network segmentation.
    • Application Security: Web Application Firewalls (WAFs) to prevent SQL injection, Cross-Site Scripting (XSS), and other common web attacks.
    • Authentication & Authorization: Basic username-password authentication, sometimes with LDAP or Active Directory integration.
    • Data Protection: Encryption for databases (AES, DES) and Secure Sockets Layer (SSL) for web traffic.
    • Patch Management: Manual or semi-automated patching processes to address vulnerabilities.
    • Logging & Monitoring: Syslog servers, log analysis, and manual security incident response.

2. Virtualization Era - NullBytes

  • Architecture: Monolithic or modular applications running in Virtual Machines (VMs).
  • Deployment:
    • Shift to cloud-based infrastructure (AWS, Azure, Google Cloud).
    • VM-based deployment (e.g., VMware, VirtualBox, Hyper-V).
    • Configuration management tools (e.g., Ansible, Puppet, Chef) for automating deployments.
  • Improvements:
    • Applications can run in isolated environments without affecting others.
    • Better resource utilization compared to physical servers.
    • Infrastructure-as-Code (IaC) principles start emerging.
  • Security Controls
    • Hypervisor Security: Secure configuration of VMware, KVM, or Hyper-V hypervisors.
    • Virtualized Network Security: Software-defined firewalls (e.g., VMware NSX) and network micro-segmentation.
    • Host-based Security: Host Intrusion Detection Systems (HIDS) and Security Enhanced Linux (SELinux).
    • Data Security: Encryption of virtual disks and secure VM snapshots.
    • IAM (Identity & Access Management): Centralized authentication using Kerberos, Active Directory Federation Services (ADFS), or SAML.
    • Automated Patching & Configuration Management: Ansible, Puppet, Chef for secure system configuration.
    • SIEM (Security Information and Event Management): Splunk, ArcSight, or Elastic Stack for threat detection.
  • Challenges
    • Increased attack surface due to hypervisors.
    • VM sprawl leading to security misconfigurations.
    • Difficulty in monitoring east-west traffic within virtual environments.

3. Containerization & Microservices - Roti

  • Architecture: Shift from monolithic to microservices, where each component of the application is independently developed, deployed, and scaled.
  • Deployment:
    • Containers (Docker, Podman) replace VMs for lightweight and portable deployments.
    • Container orchestration (Kubernetes, Docker Swarm, OpenShift) automates scaling, networking, and failover.
    • CI/CD Pipelines for automated deployment and rollback.
  • Benefits:
    • Scalability: Individual services can scale independently.
    • Faster deployments: Rolling updates and zero-downtime deployment.
    • Polyglot development: Services can be written in different languages.
  • Security Controls
    • Container Security: Image signing, vulnerability scanning (Trivy, Clair, Anchore).
    • Least Privilege for Containers: Running containers as non-root users.
    • Orchestration Security (Kubernetes): RBAC, Network Policies, Secrets Management (Kubernetes Secrets, HashiCorp Vault).
    • Service Mesh Security: Istio, Linkerd for mutual TLS (mTLS) encryption.
    • API Security: OAuth2, OpenID Connect, API Gateways (Kong, Apigee).
    • Supply Chain Security: Software Bill of Materials (SBOM), Git signing (SLSA framework).
    • Zero Trust Network Security: Micro-segmentation, identity-aware proxies.
  • Challenges:
    • Containers introduce ephemeral workloads, making traditional security tools less effective.
    • Complex networking and service discovery.
    • API security becomes a major concern with microservices.
    • Managing inter-service communication (e.g., via API Gateway, Service Mesh like Istio).
    • Observability (logging, tracing, monitoring) requires dedicated tools.
    • Kubernetes misconfigurations are a leading cause of security breaches.

4. Serverless & Cloud-Native Applications - Kitavi

  • Architecture: Serverless and event-driven architectures (Function-as-a-Service, FaaS).
  • Deployment:
    • Cloud providers manage execution environments (AWS Lambda, Azure Functions, Google Cloud Functions).
    • No infrastructure management required.
    • Event-driven scaling (functions trigger on-demand).
  • Benefits:
    • Cost-efficient (pay-per-use model).
    • High availability and built-in auto-scaling.
    • No server management (abstracted infrastructure).
  • Security Controls
    • Cloud IAM & Zero Trust: Enforcing identity-aware authentication (AWS IAM, Azure AD, Google Cloud IAM).
    • Serverless Security: Function permissions (least privilege), function scanning for vulnerabilities.
    • API Gateway Security: AWS API Gateway, Google Cloud Endpoints with authentication and rate limiting.
    • Data Security: Customer-managed encryption keys (CMEK), confidential computing.
    • Cloud-Native WAFs: AWS WAF, Cloudflare, Azure Front Door.
    • Runtime Protection: AWS GuardDuty, Google Security Command Center for anomaly detection.
    • Secure CI/CD Pipelines: Secrets management, automated security scanning in CI/CD.
  • Challenges:
    • Cold starts affect performance.
    • Limited execution time (depends on provider limits).
    • Vendor lock-in with cloud platforms.
    • Lack of visibility into cloud provider’s infrastructure security.
    • Cloud misconfigurations remain the #1 cause of breaches.
    • Shared responsibility model requires organizations to secure their configurations.
  • Architecture:
    • AI-assisted DevOps: Self-healing infrastructure and AI-driven deployments.
    • Edge Computing: Running applications closer to users (CDNs, edge nodes).
    • WebAssembly (WASM): Lightweight, high-performance code execution beyond JavaScript in browsers and cloud environments.
  • Deployment Trends:
    • GitOps & ArgoCD: Declarative infrastructure and automatic deployments.
    • eBPF in Kubernetes: Secure, high-performance networking and observability.
  • Security Controls.Setting Up Applications Sample.https://gitlab.com/devsecops8174006/simple-apiSAST.Different toolshttps://spectralops.io/blog/top-10-static-application-security-testing-sast-tools-in-2025/
    • AI-driven Threat Detection: AI-powered security analytics (Darktrace, Microsoft Sentinel).
    • Edge Computing Security: Secure enclaves, confidential computing (Intel SGX, AWS Nitro).
    • WebAssembly Security: Sandboxing, WebAssembly System Interface (WASI) for secure execution.
    • Quantum-Safe Encryption: Transitioning to post-quantum cryptography.
    • Autonomous Security Operations: AI-driven Security Orchestration, Automation, and Response (SOAR).
    1. Create the Application - Code (Done by Developers or you)
    2. Containerize your Application - Bet you’ve seen Docker file before (Also this is where docker compose up works).
    3. Create a pipeline (Jenkins, Gitlab, Azure Devops, Github)
    4. Deploy the app (This could be on a server, docker or K8s)
    • The traditions SAST tools we all know. Uploading a code repo and scanning the difference on a pipeline.
    • The importance of knowing the language before purchasing/implementing a tool.