DoD Cloud Exchange 2024: Palo Alto Networks David Kubicki on navigating SaaS security needs
Integrating security into application development is more important than ever given the velocity of cloud applications, Palo Alto’s David Kubicki points out.
Inside the Defense Department and across many organizations, there’s been a push in recent years to shift cybersecurity to “the left” in software development.
Instead of only monitoring cyber vulnerabilities and other security issues once a software product is shipped to a customer, the idea is to ensure developers account for security as they’re building the software.
That same mentality is crucial in the world of cloud computing, where it can be difficult to keep pace with the velocity of application development and deployment, said David Kubicki, solution architect manager for federal at Palo Alto Networks.
“We feel that that shifting left and providing that security within the development cycles is really the only way that you can keep up with the application velocity within the cloud,” Kubicki said during Federal News Network’s DoD Cloud Exchange 2024.
And while cloud environments are sometimes considered automatically more resilient than on-premise solutions, DoD’s 2021 DevSecOps strategy acknowledged that’s not always the case.
“There is an optimistic vision that portrays the cloud as offering endless computing capacity, guaranteed availability and lower operational costs,” the strategy states. “The reality is that an improperly architected application remains as brittle in a cloud environment as it did operating in a regional data center. If not re-architected, it may actually be more unreliable and more expensive to operate. The shift to cloud must be accompanied by the adoption of new architectural design patterns and an overpowering preference to build atop existing enterprise services instead of reinventing duplicative capabilities.”
Integrating security into software development
Although cyberthreats have continued to increase in recent years, software developers often outnumber security personnel at a rate of 30 to one, Kubicki said. He noted one agency reported a 50-to-one ratio.
“There’s a lot of alert fatigue,” he said. “There’s a lot of just general fatigue for the security teams in trying to keep up with that application velocity that I mentioned as well.”
While security can often be seen as a drag on the software development process, Kubicki recommended integrating it earlier into the software lifecycle can help avoid issues that could slow down a product later on in development.
“Providing that security and that feedback back to the developers allows the alerts to be reduced from those applications and workloads,” he added. “But it also enables the communication between the development teams, the ops teams, the security teams, and reduces some of the friction that that can be the number one cause of development slowdown and decreasing the application velocity.”
Providing security tools to developers
DoD officials say the department’s adoption of cloud services has ramped up since the award of the Joint Warfighting Cloud Capability (JWCC) contract in December 2022.
With the demand for rapid cloud application adoption increasing, Kubicki said developers will need tools to help them comply with DoD’s security policies.
“That goes back also to having a platform with consistent data across all phases of the application lifecycle, and when you have that it’s also providing data into the tools that the developers are most accustomed to using,” he said. “For example, providing the information on the vulnerability analysis of a container image within the continuous integration, continuous development pipelines when they go to that build process, or providing that feedback to an infrastructure as code template that that a developer might be using to deploy an infrastructure to a public cloud environment.”
In addition to automated tools, Kubicki said human review will also continue to be important in enforcing security policies.
“Human review can slow down the process ever so slightly, but it is important to make sure that we’re verifying the policy for the code that we’re deploying. And if those misconfigurations are happening, hopefully stopping within the development processes, and getting to production with a known good state.”