375 BROUGHT TO YOU IN PARTNERSHIP WITH

Cloud-Native CONTENTS

•  Key Challenges With Cloud-Native

Application Security

Application Security •  Injecting Security Into DevOps

•  Cloud-Native Security Patterns

and Anti-Patterns

Patterns and Anti-Patterns •  Shared Responsibility Model

for Security

•  OWASP Framework

•  Conclusion

SAMIR BEHARA
SENIOR CLOUD INFRASTRUCTURE ARCHITECT, AWS

Enterprises are rapidly adopting cloud-native architectures and design
patterns to help deliver business values faster, improve user experience,
maintain a faster pace of innovation, and ensure high availability
and scalability of their products. Cloud-native applications leverage
modern practices like microservices architecture, containerization,
DevOps, infrastructure-as-code, and automated CI/CD processes.
Cloud-native application security is a cloud-first approach used to
deploy applications securely at scale by embedding security into
the software development lifecycle to detect vulnerabilities earlier.
This Refcard will walk through the critical challenges of cloud-native
application security, demonstrate how to build security into the CI/CD
pipeline, and introduce the core patterns and anti-patterns of cloud-
native security.
LACK OF SECURITY MINDSET
When development teams build products, their primary focus areas
are functionality and usability. Faster release cycles make it difficult
to inspect and resolve security vulnerabilities correctly. In addition,
development teams do not always have the required skill set to identify
security issues and, at the same time, do not want to be slowed down
by unknown security concerns.
As a result, security often takes a back seat. However, it would be best
to consider security an integral part of the DevOps pipeline amidst the
need to deliver high-quality software in a cloud-native landscape.
PEOPLE AND CHANGE
One of the biggest challenges with enterprise transformations is not
the underlying technology but the non-technical aspects of handling

KEY CHALLENGES WITH CLOUD-NATIVE the change. Some common barriers to cloud adoption are the changes

APPLICATION SECURITY
Cloud-native architectures bring in challenges related to application
and infrastructure security. Let us look at a few of the most prominent
challenges organizations face related to cloud-native security.

TRADITIONAL SECURITY vs. CLOUD-NATIVE

SECURITY: A PARADIGM SHIFT
Traditional security tooling is built for static environments and is
ineffective in the dynamic and rapidly changing cloud-native landscape.
Furthermore, with the advent of microservices, containers, service
meshes, and multi-cloud environments, it has become increasingly
difficult for organizations to track software vulnerabilities. As a result,
there is an increased dependency on automation and continuous
monitoring throughout the application lifecycle.

© DZONE | REFCARD | OCTOBER 2023 1


in people, operating models, governance, business practices, and the
fast pace of innovation. Organizations need a structured approach
to cloud adoption that includes aligning leaders, mobilizing teams,
and engaging the entire organization. There needs to be alignment
between IT and business leaders to lead the organizational journey and
drive cultural change — as well as a focus on developing and creating a
learning plan to upskill people.
SOFTWARE DEPENDENCY PROBLEM
By adding reusable external dependencies in the codebase, developers
can leverage complex functionalities without developing and
maintaining them. However, open-source libraries are susceptible
to being compromised, causing security issues in your application.
Therefore, you must do your due diligence to ensure that software
dependencies are inspected for malware and vulnerabilities.
SELECTING THE RIGHT REAL-TIME
VISIBILITY TOOLS
Security in the cloud brings a new set of challenges that your
organization might not be trained to handle. Hence, it's imperative that
you evaluate and finalize the right tools to secure your applications in
a cloud-native world. With containers spinning up and down within
seconds, you need tools to provide real-time visibility into your
containerized environments. The attack surface in the cloud is rapidly
increasing, and there are numerous cases of data breaches, compliance
issues, and compromised APIs. From a security standpoint, having
complete observability of your workloads by leveraging the right tools
for logging, metrics, traces, and alerting is critical.
ENFORCING CONSISTENT SECURITY POLICIES
AND GUARDRAILS
Today, enterprises leverage third-party security tooling and
managed services provided by their public cloud provider to build
their cloud security posture. However, it is challenging to develop
centralized policies and guardrails that apply across your cloud-native
Figure 1: Building security into the DevOps pipeline
Image source: "Securing Cloud-Native Applications"
© DZONE | REFCARD | OCTOBER 2023
REFCARD | CLOUD-NATIVE APPLICATION SECURIT Y
environments. This requires your development teams to work closely
with the security team. As a best practice, you should have guardrails in
place, which can disallow actions that lead to policy violations.
LACK OF AUTOMATED COMPLIANCE CHECKS
AND ENFORCEMENT
Enterprises need a framework of controls to meet their compliance
needs and manage risks effectively. There are several security
standards and compliance certifications like HIPAA, FedRAMP, NIST
800-171, and PCI that customers need to satisfy their requirements.
While architecting and deploying workloads in the cloud, you must
ensure compliance with each workload and consider the unique
requirements from a security standpoint. You also want to validate
that the services operate securely in a production environment. Finally,
you need to continuously monitor and assess the security controls to
ensure strict adherence to compliance regimes.
AUTOMATION AND PRIORITIZATION OF ALERTS
Amidst the increasing number of breaches and cyber threats, you must
ensure that your alarms are fine-tuned. Having to deal with redundant
alarms can cause alert fatigue. In addition, if you get an overwhelming
number of alerts with false positives, there is a high chance of
missing out on critical alerts. Therefore, while designing cloud-native
applications, it is crucial that you have automation in place to similarly
aggregate alerts and visualize the severity of such alerts.
INJECTING SECURITY INTO DEVOPS
Having DevOps processes in place improves efficiency, reduces
failures, implements faster deployment cycles, enhances application
performance, and provides better customer experience. Taking a
step further, DevSecOps can be defined as a practice to deliver secure
software through a continuous delivery model. Therefore, security
should be considered an integral part of your CI/CD pipeline, as seen
in Figure 1. Teams need to ensure that it is built into the application
lifecycle phases in an iterative and automated manner.
3 BROUGHT TO YOU IN PARTNERSHIP WITH

SHIFT-LEFT SECURITY STRATEGY
The velocity and frequency of feature deployment has increased
tremendously in this cloud-native world. A single security team in an
organization cannot be entirely responsible for the security of all your
applications in the cloud. Bridging the gap between development,
operations, and security teams is critical to deploying secure
applications. Building security controls into all your pipeline stages
would be best to shift security left.
Fixing security issues in production is expensive; hence, incorporating
security practices during the development phase is highly
recommended. Shifting left requires collaboration and engagement
between teams during the early stages of your development cycle.
A shift-left strategy provides the foundation to build security from the
ground up with necessary automation. It helps you to incorporate
security into every phase of the software pipeline. Security is one of the
key pillars of a well-architected framework, and you should adhere to
the cloud security design principles.
To scale your security and compliance operations, automation is
critical. It would be best to apply security at all layers and automate
security best practices:
•  Treat your infrastructure as code
•  Apply security guardrails to your environments
•  Gain in-depth visibility into your logs and metrics
•  Establish a scalable incident response system
•  Develop the ability to self-heal to a known good state
AUTOMATED TESTING
Hardening security requirements during the initial design and
development phases is essential. It is best to encourage development
teams to keep security in mind while writing unit, integration, and
end-to-end tests. As a best practice, do not just focus on happy-
path workflows but have effective coverage on negative workflows,
boundary conditions, and edge cases.
Always test the error handling scenarios' authentication workflows and
maintain extensive coverage for high-risk and frequently used code.
Since testing is built into the CI/CD process, you cannot release code to
production without passing tests.
STATIC CODE ANALYSIS
Static code analysis tools have many security-related rules covering
well-established security standards such as OWASP Top 10 and CWE.
You can also add custom rules to identify security issues. Security
injection rules like cross-site scripting, SQL injection, denial of service,
and code injection indicate problems at the application level that
need to be addressed by developers who follow coding standards.
© DZONE | REFCARD | OCTOBER 2023
REFCARD | CLOUD-NATIVE APPLICATION SECURIT Y
Security hotspots are sensitive pieces of code to be reviewed during
the code review process. However, when a security vulnerability is
detected, it might have a broader impact on your application and
need to be fixed immediately. As part of the CI/CD pipeline, every code
change will get scanned by these security rules and flagged if there are
outliers. You can fail your quality gates, as seen in Figure 2, when the
security standards are not met.
Figure 2: SonarQube Quality Gate
CODE REVIEW
Peer code reviews are a common practice among development teams.
You can implement mandatory code reviews to promote secure code
writing by catching common mistakes and vulnerabilities committed
to source control. When a pull request gets created for a particular
functionality, ensure a security focus while reviewing the changes.
Look out for secure practices like sanitizing outputs, proper secret
management, no hardcoding of sensitive data, authentication
workflows, session management, logging, and exception handling.
Most of these steps can be automated by combining SAST (static
application security testing) and DAST (dynamic application security
testing) tools. SAST analyzes the source code without executing
the application, whereas DAST finds vulnerabilities by analyzing a
running application. Both of these testing techniques complement
each other and help test security vulnerabilities throughout the
software lifecycle.
You can use tools to visualize vulnerability data in real time and
recommend actions to improve the overall security posture in your
organization. While running cloud-native applications, securing both
the application and infrastructure layer is critical. Traditional security
tools have limitations in a dynamic cloud environment.
As security threats become more sophisticated, the importance of
runtime protection and the ability to stop runtime attacks becomes
of the utmost importance. You can minimize the impact of threats
by having runtime security in place — continuous scanning of
environments, having an incident management process, and auditing
for security threats in real time.
4 BROUGHT TO YOU IN PARTNERSHIP WITH

CLOUD-NATIVE SECURITY PATTERNS
AND ANTI-PATTERNS
The cloud-native architecture enables organizations to build and run
scalable applications in a dynamic environment. However, it does
come with several challenges — security, cost, governance, visibility,
and more. Let us look at some of the best practices every development
team working in the cloud-native space needs to embrace to secure
their applications.
ZERO-TRUST ARCHITECTURE
Zero trust is a strategic approach to rebuild and modernize security
by enforcing strict access controls to protect data, applications, and
networks. By inspecting and monitoring network traffic to catch any
malicious activity, the zero-trust architecture helps reduce the blast
radius in case of a compromise. In a cloud-native architecture that uses a
combination of microservices and containers, service mesh helps reduce
the surface area of attack and implement the zero-trust security model.
PATTERN Every entity must authenticate itself, and implicit
trust in data and applications is denied even within
a network perimeter.
ANTI-PATTERNS Workloads are not monitored for misconfigurations
and vulnerabilities. A least-privilege access
strategy between components is not implemented.
IDENTITY AND ACCESS MANAGEMENT
IAM is a core component of the security management posture within
an organization that enables the proper entities to access the right
resources. IAM protects against compromised access, safeguards
resources within the network, and provides comprehensive security
against phishing and ransomware attacks.
PATTERN Following the zero-trust model, each entity is
authenticated and authorized when logging in or
accessing resources.
ANTI-PATTERNS Not visualizing IAM as a framework of policies
and processes — like single sign-on, multi-factor
authentication — to help mitigate risk.
PRINCIPLE OF LEAST PRIVILEGE
The least-privilege policy grants permissions to only the resources
required to perform the task; no other access gets assigned. Having
overprivileged users and roles in an organization increases the risk
factor. With an increasing number of security breaches caused by
privileged credentials, it is best to always validate policies and adopt
the least-privilege principle by default.
PATTERN As a security best practice, when you create your IAM
policies, start with a minimum set of permissions
and grant additional permissions as needed.
ANTI-PATTERN Providing broad permissions increases the blast
radius and risk factor.
© DZONE | REFCARD | OCTOBER 2023
REFCARD | CLOUD-NATIVE APPLICATION SECURIT Y
SECRETS MANAGEMENT
Cloud secrets management refers to tools and methods to securely
manage secrets — passwords, certificates, SSH keys, encryption keys,
and API tokens. You should have a strategy to rotate your passwords
periodically. Public cloud providers offer managed services to handle
secrets and their management.
PATTERN Policies and procedures for secrets management
are established, documented, and communicated
across the development teams in your organization.
ANTI-PATTERN Storing sensitive credentials in code repositories.
INCIDENT RESPONSE
Building incident response and triaging strategies are challenging
when you have microservices running in a Kubernetes cluster in a
cloud-native landscape. When you treat your workloads running in
containers as cattle and not pets, performing post-mortem analysis
and gathering audit trail events become difficult.
Containers spin up and down frequently, so responding to security
threats in a transient environment requires a different strategy. Incident
response is critical to resolving security issues efficiently and spreading
awareness within your organization about operational duties.
PATTERN As you start creating an incident response playbook,
it is crucial to have access to proper observability
tools, including logs, metrics, and traces.
ANTI-PATTERN There is no proper audit trail or monitoring to
support troubleshooting activities.
DATA PROTECTION
Cloud-native microservices support polyglot persistence; therefore,
development teams have flexibility in choosing the appropriate
database technology, as seen in Figure 3, for developing their services.
These datastores can store both structured and unstructured data
to support a variety of functions like search, reporting, time series,
caching, transactional, etc.
PATTERN Support critical data management functions like
backup and recovery, archival, data replication,
data encryption at rest, and motion. When it comes
to data auditing, be aware of regulatory compliance
laws set by the government like HIPAA, GDPR, and
FedRAMP to protect consumer rights.
ANTI-PATTERN Excluding data from your automated CI/CD pipeline.
SEE FIGURE 3 ON NEXT PAGE
5 BROUGHT TO YOU IN PARTNERSHIP WITH

Figure 3: Polyglot persistence in cloud-native applications
CONTAINER IMAGE SECURITY
Many organizations are running containerized workloads in production.
Containers make it easy to package, deploy and run your code, thereby
increasing the speed and portability of your application. It is necessary
to secure the container image to secure your environment.
Organizations can leverage open-source tools to detect anomalous
behavior of applications running inside containers and send timely
alerts. A continuous and automated monitoring strategy is necessary
to address the increasing security risks associated with container
environments.
As a best practice, ensure that the images don't contain any known
vulnerabilities, do not have passwords and sensitive data included,
do not contain misconfigurations, and are downloaded from trusted
providers. Regularly scanning container registries in your organization
is recommended to boost the quality of containerized deployments.
PATTERN Images in popular container registries are not
guaranteed to be free from vulnerabilities; hence,
you should have a process for vulnerability
scanning of your container images before
deploying them to production.
ANTI-PATTERN No automated strategy to periodically scan
container images.
THREAT MODELING
Developing services in the public cloud can trigger new security threats
like malware and ransomware. You can leverage managed services
provided by cloud providers or third-party vendors that use machine
learning and artificial intelligence to identify security threats and
vulnerabilities across your organization.
PATTERNS Continuously monitor your cloud resources, have
unified visibility into security incidents, and develop
a strategy to detect unauthorized activities.
ANTI-PATTERNS No policies have been created to detect malicious
activities like suspicious user actions, unsuccessful
login attempts, network anomalies, and unusual
activities that indicate credential compromise.
© DZONE | REFCARD | OCTOBER 2023
REFCARD | CLOUD-NATIVE APPLICATION SECURIT Y
USING INFRASTRUCTURE AS CODE
Cloud-native architectures leverage the principle of immutability to
manage infrastructure resources. If you need to make any configuration
changes, you don’t modify the server; instead, build a new server
with the updated configuration. IaC ensures consistency between
environments and enables better DevOps practices by deploying
infrastructure code in an automated and repeatable manner.
PATTERNS Development and security teams can use IaC
tools like Terraform, Chef, Puppet, and Ansible
to create guardrails, implement policies, patch
vulnerabilities, and fix configuration issues
seamlessly across environments without worrying
about drifts. With IaC, all your infrastructure
changes are peer-reviewed and stored via source
control for increased visibility.
ANTI-PATTERN Making infrastructure changes manually, which
creates configuration drifts across environments.
RUNTIME VISIBILITY
With enterprises growing their workloads rapidly and adapting
multi-cluster/multi-cloud environments, it becomes crucial to
have a centralized view of your systems. Furthermore, to have a
sound observability strategy, you need to continuously profile your
applications and collect a considerable volume of data round the clock.
PATTERN Provide observability to the teams as a platform
offering — and not something they have to build and
maintain for individual services.
ANTI-PATTERN Lack of robust security tooling to make sense of
the high volume of logs, metrics, and trace data
produced by your applications.
SHARED RESPONSIBILITY MODEL
FOR SECURITY
Security is a shared responsibility between the cloud service provider
and its customers in the public cloud. The shared model helps to reduce
the operational burden on customers, as the cloud provider protects
the entire infrastructure containing the service deployments. At the
same time, customers are responsible for securing the application
code, data, identity and access, containers, and workloads running in
the cloud that contain business logic.
Once you have clarity on these shared responsibilities, development
teams can focus on building business features and not worry about the
day-to-day operational issues in the infrastructure layer.
To summarize, the cloud provider is responsible for the security "of"
the cloud, whereas the customer is responsible for the security "in"
the cloud. Figure 4 illustrates Microsoft's shared responsibility model
in the cloud and the various responsibilities between Microsoft and
its customers.
SEE FIGURE 4 ON NEXT PAGE
6 BROUGHT TO YOU IN PARTNERSHIP WITH

Figure 4: Microsoft’s shared responsibility model
Image source: "Shared responsibility in the cloud"
OWASP FRAMEWORK
The OWASP Top 10 is a set of development techniques that helps
developers improve their web applications' security and enables
teams to shift security earlier into the design and coding phases.
It encourages guidelines like integrating security into the CI/CD
pipeline, parameterizing queries, validating all inputs, implementing
error handling, improving logging strategy, leveraging the benefits
Figure 5: OWASP Top 10 web application security risks
Image source: "OWASP Top Ten"
WRITTEN BY SAMIR BEHARA,
SENIOR CLOUD INFRASTRUCTURE ARCHITECT, AWS
Samir builds and architects software solutions
using cutting edge cloud-native technologies.
Samir has worked on large-scale enterprise
applications involving complex business functions,
web integration, cloud migrations, and data management in various
domains like insurance, manufacturing, and publishing. Samir is a
frequent speaker at technical conferences and is the Chapter Lead of
the Steel City SQL Server user group.
© DZONE | REFCARD | OCTOBER 2023
REFCARD | CLOUD-NATIVE APPLICATION SECURIT Y
of security frameworks, protecting data at rest and encryption,
reducing sensitive data exposure, implementing secure access
controls, and more.
CONCLUSION
Cloud-native architectures have seen rapid adoption in recent years.
However, there are numerous security challenges due to this complex
and dynamic landscape. Users have faced multiple security risks like
data breaches, data loss, denial of service, insecure APIs, account
hijacking, vulnerabilities, and identity and access management
challenges. Enterprises need to continuously adapt security best
practices to handle these issues, as were outlined in this Refcard.
These core security concepts cannot be isolated and must be
consistently integrated into the development lifecycle. Enterprises
have been able to find ways to balance security and the speed of
delivery by embracing automation, continuous delivery, and, most
importantly, building a DevOps culture. It is highly recommended that
Refcard readers also study the CNCF Cloud Native Security Whitepaper
that focuses on key challenges of cloud-native application security,
providing guidance to architects and developers.
3343 Perimeter Hill Dr, Suite 100
Nashville, TN 37211
888.678.0399 | 919.678.0300
At DZone, we foster a collaborative environment that empowers developers and
tech professionals to share knowledge, build skills, and solve problems through
content, code, and community. We thoughtfully — and with intention — challenge
the status quo and value diverse perspectives so that, as one, we can inspire
positive change through technology.
Copyright © 2023 DZone. All rights reserved. No part of this publication may be
reproduced, stored in a retrieval system, or transmitted, in any form or by means
of electronic, mechanical, photocopying, or otherwise, without prior written
permission of the publisher.
7 BROUGHT TO YOU IN PARTNERSHIP WITH