Automated App Security Configuration Audits

By Prasad Kunchakarra | April 9, 2019

Application Security Configuration Audits – Why Automated Validation is a Must

In one of my previous blogs, I discussed the challenges for securing modern applications. The takeaway from the discussion was that modern applications change more frequently than traditional applications. And the blast radius for any security misconfigurations is high because of the large number of services pushing data over the wire to complete a single task. In this blog, I will be discussing the shortfalls associated with manual verifications. Organizations, particularly in regulated industries, are unable to benefit from the faster product and feature delivery cycles that modern technologies can provide due to the bottlenecks introduced by manual compliance audits. The root cause of the problem and how we can overcome these bottlenecks is discussed in this article.

  If you are building modern applications for a highly regulated industry such as finance or government agencies, there is a continuous need to make sure that all the security configurations are in compliance with industry standards such as NIST 800-53. The current manual compliance verifications and evidence gathering using screen shots practiced in some organizations is totally inadequate. These manual verifications require coordination of multiple resources including developers, DevOps engineers, security engineers and independent security auditors. These audits consume hundreds of man hours in gathering evidence that becomes quickly outdated since the applications are evolving continuously. Most of these manual verifications do not cover all application nodes and configurations. Instead spot checks are relied on to provide “reasonable” but incomplete assurance. In Summary, the manual verification and evidence gathering of application security configurations has the following drawbacks:

  • Leaves blind spots and misconfigurations may go undetected since the validation only covers a small percentage of the security configurations
  • Requires coordination from multiple team members resulting in loss of productivity
  • Hundreds of man hours are spent periodically to satisfy the needs of independent regulatory compliance audits
  • There are considerable delays in delivering new products and features

  Even though the organization may pass independent security audits after a considerable effort, there is no guarantee that security configurations are valid per organizational benchmarks and baselines. And as indicated above, any misconfiguration in a modern application could have a severe impact because of the larger blast radius associated with modern architectures.

  Capitis solved this problem through C2VS, our solution for automated independent compliance testing. The solution can scan 100’s of application configurations across all IT resource types in just a few minutes. Since these tests can be run frequently, any misconfiguration or drift from the baseline security configurations can be detected quickly. Customizable dashboards provide clear explanations for the root cause of failures so security engineers can quickly take corrective actions. Our solution not only covers the verification of custom applications but also verifies security configurations of databases, applications servers, cloud resources such as S3 buckets, EFS volumes, and messaging providers such as SNS/SQS. Read more about C2VS here.

About the Author

Prasad Kunchakarra is the CEO and Founder of Capitis Solutions Inc. He has over 15 years of experience in architecting and implementing secure platforms both for Government and commercial clients.