Signal Sciences Moves to Secure Envoy
Signal Sciences has extended its web application firewall (WAF) and runtime application self-protection (RASP) software to include support for the open source Envoy proxy service software widely used in Kubernetes environments.
Zane Lackey, chief security officer for Signal Sciences, says one of the things that distinguishes the Signal Sciences Cloud WAF is that it can support both existing monolithic and emerging microservices-based applications based on platforms such as Kubernetes. Rather than having to acquire a separate firewall that needs to be deployed as a sidecar to containers and then creating and managing policies on the firewall, the Signal Sciences approach makes it possible to unify the management of application security across multiple platforms, he says.
By adding support for Envoy, Signal Sciences is now signaling that its WAF and RASP technologies will be extended to various add-on modules deployed on top of Kubernetes clusters.
In keeping with agile DevOps processes, Lackey also notes the company’s Cloud WAF software is designed to be installed in minutes, as opposed to days and months. About 95% of Signal Sciences customers also make use of an automated blocking capability to inspect, detect and block malicious web requests without having to rely on signatures or rules-based tuning, adds Lackey.
As the number of containerized applications destined to be deployed on Kubernetes increases, tension between developers and cybersecurity teams is starting to rise. Cybersecurity teams are reluctant to approve deployment of containerized applications that they can’t secure themselves in production environments. They would prefer to be able to rely on the same cybersecurity framework to secure applications whenever possible, regardless of whether they are on monolithic architecture or employ cloud-native technologies such as containers and serverless computing frameworks. The challenge cybersecurity teams face is most legacy firewalls don’t support containers, which Signal Sciences views as an opportunity to gain share at the expense of its rivals—its WAF and RASP technologies are designed from the ground up to support multiple application architectures, says Lackey.
In the age of DevSecOps, it’s not clear who will assume responsibility for selecting and deploying firewalls. In some cases, developers will install firewalls on their own within the context of an isolated greenfield application environment. In other cases, cybersecurity teams will prefer to unify the management of firewalls across the enterprise. Given the history of application development, many of those cybersecurity teams don’t have a lot of confidence just yet in the ability of developers to embed the appropriate cybersecurity controls within their applications.
Whatever the approach, cybersecurity is now a major focal point when it comes to building, deploying and managing containerized applications. In an ideal world, developers and cybersecurity teams together will define best DevSecOps processes to ensure cloud-native applications are more secure without compromising the speed at which developers are able to build and deploy those applications. Otherwise, many developers will continue to end-run cybersecurity teams in the name of productivity regardless of the risks involved.