Security-as-Code Definition

Security-as-Code is the practice of leveraging machine-readable definition files that use high-level descriptive coding language to automate security behavior in the runtime. This approach drastically reduces reliance on human intervention and grants security teams autonomy while allowing engineers to focus on development rather than vulnerability remediation.

Security-as-Code is the best way to confidently and continuously secure your apps despite code changes

Instead of trying to keep pace with development and the rate of deployments only to miss the majority of releases or hold up business-critical features from hitting production, Security-as-Code uses a Policy Config file to declaratively and imperatively define the desired security behavior for your applications allowing an agent to apply the protection in real-time.

Simplifying the security process to properly integrate into the DevOps pipeline will help you maintain parity with development velocity and make time-to-protection instantaneous. Which means you’re able to secure every application on every environment, release-after-release, diminishing your risk profile, resulting in happier security teams.

How Security-as-Code is Changing the Way You Secure Software

There’s a problem with the way we’ve been taught to secure software – as software becomes more and more complex it no longer works for for the growing number of attack vectors.

Think about it – the majority of modern security practices are based on regex pattern matching that analyzes data sent over the network.

This would be the same as your doctor treating your cough instead of your bronchitis. In other words, exploits are the symptom, while vulnerable code is the cause.

By only analyzing network data you can only make blind guesses on whether a request is an exploit leading to high false positives impacting the economics of application security.

When you run into a vulnerability that’s critical enough, where do you turn? For most security teams, the answer is engineering for a patch that takes weeks if not months and looks a lot like this:

That’s because only place to truly remediate a vulnerability is in the code.

But with the rate of releases in the modern DevOps world, not only could it be days before a vulnerability is detected, but it can take months for a vulnerability to be patched. Not to mention that you could very easily experience a regression due to a new deployment undoing the fix that was previously implemented.

Here’s how the DevOps process works today:

Security teams don’t have the time or resources to maintain parity and the numbers show it:

  • 83% of CISOs see software vulnerabilities as a critical threat
  • 67% of security teams are behind the software development life cycle (SDLC)
  • 30% of companies are shifting resources from security solutions to securing remote workers leaving gaps in their application security

The current security process has become antiquated and way more painful for the security teams and product teams than it needs to be.

The fix?

We need to grant security teams autonomy.

Security-as-Code removes the dependence of time and effort from DevOps teams.

Simply define the desired end state of security behavior for your applications once, and autonomously apply that to any existing or new code dynamically at the application runtime.

How do you ACTUALLY do Security-as-Code?

Implementing Security-as-Code doesn’t force you to blow everything up and start from scratch. It’s the fastest way to shift security left and works with your existing security solutions.

It’s more like turning on a new engineering team that compliments your existing security efforts, but can fix vulnerable code instantaneously with nearly-zero performance overhead, and zero false positives.

We boil it down into a simple framework called the Secure Every App Framework.

The Secure Every App Framework boils down to 3 steps:

  1. Analyze
  2. Secure
  3. Scale

It’s how you secure applications quickly and at scale in today’s world. It’s not a new security platform. It’s a new way to approach security with more accuracy.

Let’s break down each step.

Step 1: Analyze applications for existing security vulnerabilities.

Establish if any existing vulnerabilities are consistently exploitable. This will help you determine which rules to put in detect mode and which to put in protect mode in the next step.

Waratek can supply a number of vulnerable server pages isolated in a container to deliberately introduce vulnerabilities for testing purposes and are very easily understood by security teams.

Step 2: Declaratively or imperatively define the security behavior you want your apps to adhere to

With Security-as-Code the agent keeps your apps secure release-after-release by applying the security behavior in the runtime, resulting in an instantaneous time-to-protection. Security-as-Code platforms can understand which code is susceptible to which vulnerability and apply security appropriately in real-time instead of forcing you to repeat the identification step with every release.

Let the Security-as-Code agent fix the vulnerable code for you. Define your desired security behavior using either the Web Portal or the Policy Config file depending on what you’re most comfortable with.

This will help your agent understand what to look for both in your codebase and your network requests. You’ll speed up time-to-protection and reduce attacker dwell time to zero.

Step 3: Scale security throughout the rest of your applications on every environment

Current tools and processes do not scale to whole-of-enterprise. Security-as-Code solves runtime security automation at scale like Infrastructure-as-Code solved infrastructure automation.

When false positives are taken out of the equation, the economics of application security transform. No longer do you have to settle for securing only your top 5 most important apps. Instead you can secure all of your organizations apps, removing any entry point for a would-be attacker. We have customers running Waratek’s Security-as-code platform on 2,500 apps in production.

This is one of the key differences of Security-as-Code vs traditional security process.

The 3 Key Benefits of Security-as-Code

You’ve already read about some of the positive results many different businesses have been able to achieve through Security-as-Code. But those aren’t the only benefits you can expect.

Here are the three biggest benefits of using Security-as-Code to secure your applications in real-time:

1) You grant your security teams more autonomy

With Security-as-Code platforms, your security teams no longer play catch up to DevOps’ release velocity.

Now you can confidently say, for example, “I want to block SQL injections” in the Policy Config file and trust that no matter what code changes happen by engineering at a later date, that SQL injections won’t occur.

2) You transform the economics of application security

By decreasing Time-to-Protection, DevOps involvement, and removing false positives, you can now afford to security every application in your company.

3) Time-to-Protection becomes instant

With security behavior actively applied in the runtime, there is no logical separation between the security that is applied to your application and the application itself, resulting in live execution of secure code.

Security-as-Code FAQ

Here are the most common questions we get related to Security-as-Code:

Do I have to completely remove all of my existing security solutions?

Getting started with Security-as-Code isn’t an “all or nothing” decision.

Rather than removing all of the security platforms in use today, simply start by adding real-time protection as a second net to catch the vulnerabilities that your other platforms can’t catch. It’s like hiring an engineering team that focuses solely on security, doesn’t make mistakes, and completes work the moment a vulnerability is identified.

How do I measure the effectiveness of Security-as-Code?

You can measure your Security-as-Code efforts just like you would measure any other security platform.

Waratek’s Security-as-Code platform ARMR gives you dashboards that show you how many vulnerabilities you’ve identified and remediated, along with the criticality of those vulnerabilities.

How do I scale Security-as-Code?

Security-as-Code allows you to offer instant Time-to-Protection for known and unknown apps alike, even while your team is sleeping. Since the same security behavior is applied on the target applications in the runtime, release-after-release, the concern for application security regression is removed.

Because of this, along with an ultra-low performance overhead (<5%) and no false-positives, it’s easy to scale to every app in your company’s stack without becoming overwhelmed. After all, you deserve that vacation you’ve been dreaming of.

Ready to experience the power of Security-as-Code?

Let us show you first-hand how Waratek can help you with:

  • Autonomous protection – Fix known and unknown vulnerabilities in real-time without a single code change
  • Virtual patches – Virtually upgrade apps and dependencies like Log4j without code changes, vendor patches, or downtime
  • Removing gaps – Engrain protection within the DNA of your apps and APIs instead of relying on adjacent or parallel protection, which can allow vulnerabilities to slip through