APIs are everywhere and new architecture patterns like microservices are here to stay. But application
security problems still persist because all these services run on http, making them susceptible to existing
http vulnerabilities. In DevOps and computing, there are four application security defense needs that
organizations cannot do without:
- ChatOps
With the rise of Internet Relay Chat (IRC) replacement systems like Slack or Teams, there has been an
outcropping in the DevOps movement known as ChatOps. This encourages alerting, system actions and
events to live where the development team already is: in chat, rather than in logs.
Application security programs should distribute events back to the developer teams. When under attack,
messages should appear in Slack showing that defensive measures were taken, like this:
The goal is to bring the team together and keep security data in front of the people who create and deliver
the application or service without getting in the way.
ChatOps even offers simple command driven feedback, a developer or security practitioner can quickly use
a ChatOps bot to query a specific metric and it will retrieve the appropriate data.
- Data Visualization and Dashboards
Web Application Firewalls (WAFs) have largely gone un-visualized for their entire existence -- developers
who actually wrote the applications don’t have access to their security data. Some of the legacy WAF
vendors provide high level metrics; however, most of their offerings resemble log management software and
pre-paid analyst services.
Visualization is an absolute must-have. In the modern era of DevOps, sharing is key. Two basic questions
that Zane Lackey, CSO at Signal Sciences often asks are: