Integrating security from code to cloud [MIT Tech Review]

View Article on MIT Tech Review
The Human Genome Project, SpaceX’s rocket technology, and Tesla’s Autopilot system may seem worlds apart in form and function, but they all share a common characteristic: the use of open-source software (OSS) to drive innovation.

Offering publicly accessible code that can be viewed, modified, and distributed freely, OSS expedites developer productivity and creates a collaborative space for groundbreaking advancements.

“Open source is critical,” says David Harmon, director of software engineering for AMD. “It provides an environment of collaboration and technical advancements. Savvy users can look at the code themselves; they can evaluate it; they can review it and know that the code that they’re getting is legit and functional for what they’re trying to do.”

But OSS can also compromise an organization’s security posture by introducing hidden vulnerabilities that fall under the radar of busy IT teams, especially as cyberattacks targeting open source are on the rise. OSS may contain weaknesses, for example, that can be exploited to gain unauthorized access to confidential systems or networks. Bad actors can even intentionally introduce into OSS a space for exploits—“backdoors”—that can compromise an organization’s security posture. 

“Open source is an enabler to productivity and collaboration, but it also presents security challenges,” says Vlad Korsunsky, corporate vice president of cloud and enterprise security for Microsoft. Part of the problem is that open source introduces into the organization code that can be hard to verify and difficult to trace. Organizations often don’t know who made changes to open-source code or the intent of those changes, factors that can increase a company’s attack surface.

Complicating matters is that OSS’s increasing popularity coincides with the rise of cloud and its own set of security challenges. Cloud-native applications that run on OSS, such as Linux, deliver significant benefits, including greater flexibility, faster release of new software features, effortless infrastructure management, and increased resiliency. But they also can create blind spots in an organization’s security posture, or worse, burden busy development and security teams with constant threat signals and never-ending to-do lists of security improvements.

“When you move into the cloud, a lot of the threat models completely change,” says Harmon. “The performance aspects of things are still relevant, but the security aspects are way more relevant. No CTO wants to be in the headlines associated with breaches.”

Staying out of the news, however, is becoming increasingly more difficult: According to cloud company Flexera’s State of the Cloud 2024 survey, 89% of enterprises use multi-cloud environments. Cloud spend and security top respondents’ lists of cloud challenges. Security firm Tenable’s 2024 Cloud Security Outlook reported that 95% of its surveyed organizations suffered a cloud breach during the 18 months before their survey.

Code-to-cloud security

Until now, organizations have relied on security testing and analysis to examine an application’s output and identify security issues in need of repair. But these days, addressing a security threat requires more than simply seeing how it is configured in runtime. Rather, organizations must get to the root cause of the problem.

It’s a tall order that presents a balancing act for IT security teams, according to Korsunsky. “Even if you can establish that code-to-cloud connection, a security team may be reluctant to deploy a fix if they’re unsure of its potential impact on the business. For example, a fix could improve security but also derail some functionality of the application itself and negatively impact employee productivity,” he says.

Rather, to properly secure an application, says Korsunsky, IT security teams should collaborate with developers and application security teams to better understand the software they’re working with and to determine the impacts of applying security fixes.

Fortunately, a code-to-cloud security platform with comprehensive cloud-native security can help by identifying and stopping software vulnerabilities at the root. Code-to-cloud creates a pipeline between code repositories and cloud deployment, linking how the application was written to how it performs—“connecting the things that you see in runtime to where they’re developed and how they’re deployed,” says Korsunsky.

The result is a more collaborative and consolidated approach to security that enables security teams to identify a code’s owner and to work with that owner to make an application more secure. This ensures that security is not just an afterthought but a critical aspect of the entire software development lifecycle, from writing code to running it in the cloud.

Better yet, an IT security team can gain complete visibility into the security posture of preproduction application code across multi-pipeline and multi-cloud environments while, at the same time, minimizing cloud misconfigurations from reaching production environments. Together, these proactive strategies not only prevent risks from arising but allow IT security teams to focus on critical emerging threats.

The path to security success

Making the most of a code-to-cloud security platform requires more than innovative tools. Establishing best practices in your organization can ensure a stronger, long-term security posture.

Create a comprehensive view of assets: Today’s organizations rely on a wide array of security tools to safeguard their digital assets. But these solutions must be consolidated into a single pane of glass to manage exposure of the various applications and resources that operate across an entire enterprise, including the cloud. “Companies can’t have separate solutions for separate environments, separate cloud, separate platforms,” warns Korsunsky. “At the end of the day, attackers don’t think in silos. They’re after the crown jewels of an enterprise and they’ll do whatever it takes to get those. They’ll move laterally across environments and clouds—that’s why companies need a consolidated approach.”

Take advantage of artificial intelligence (AI): Many IT security teams are overwhelmed with incidents that require immediate attention. That’s all the more reason for organizations to outsource straightforward security tasks to AI. “AI can sift through the noise so that organizations don’t have to deploy their best experts,” says Korsunsky. For instance, by leveraging its capabilities for comparing and distinguishing written texts and images, AI can be used as a copilot to detect phishing emails. After all, adds Korsunsky, “There isn’t much of an advantage for a human being to read long emails and try to determine whether or not they’re credible.” By taking over routine security tasks, AI frees employees to focus on more critical activities.

Find the start line: Every organization has a long list of assets to secure and vulnerabilities to fix. So where should they begin? “Protect your most critical assets by knowing where your most critical data is and what’s effectively exploitable,” recommends Korsunsky. This involves conducting a comprehensive inventory of a company’s assets and determining how their data interconnects and what dependencies they require.

Protect data in use: The Confidential Computing Consortium is a community, part of the Linux Foundation, focused on accelerating the adoption of confidential computing through open collaboration. Confidential computing can protect an organization’s most sensitive data during processing by performing computations in a hardware-based Trusted Execution Environment (TEE), such as Azure confidential virtual machines based on AMD EPYC CPUs. By encrypting data in memory in a TEE, organizations can ensure that their most sensitive data is only processed after a cloud environment has been verified, helping prevent data access by cloud providers, administrators, or unauthorized users.

A solution for the future As Linux, OSS, and cloud-native applications continue to increase in popularity, so will the pressure on organizations to prioritize security. The good news is that a code-to-cloud approach to cloud security can empower organizations to get a head start on security—during the software development process—while providing valuable insight into an organization’s security posture and freeing security teams to focus on business-critical tasks.

Secure your Linux and open source workloads from code to cloud with Microsoft Azure and AMD. Learn more about Linux on Azure  and Microsoft Security.

This content was produced by Insights, the custom content arm of MIT Technology Review. It was not written by MIT Technology Review’s editorial staff.