How to Enable Applications Teams to Secure Code (part 2)

By Eric Noonan • March 16, 2018

It’s more important than ever to make sure your applications are secure. What tools are available to help in this effort – and what are the pros, cons, features, and benefits of these enablement tools?

In our previous post we set the stage for this discussion by covering the challenge application developers and their security teams face securing code in an efficient manner. Read about the impact securing (or not securing) application credentials can have on your organization and what you can do about it.

To continue our discussion, apps typically run in one of three network zone configurations. These include:

  • On-Prem – Apps that run in this space are your traditional applications, which usually run on physical machines or dedicated VMs. These apps have a long lifecycle.
  • Internal Cloud – Apps in this zone run on semi-elastic machines. Their lifecycle is much shorter than traditional servers and they are deployed much quicker than on-prem apps.
  • “The Cloud” – This zone exists outside the organization’s firewall. Apps in the cloud run on a very short-lived infrastructure, which is hosted by an outside vendor. These apps are deployed and destroyed auto-magically based on the application’s needs.

Whether you’re trying to meet DFARS, MAS, HIPPA, or NERC compliance, you have choices on where your apps run. Whichever environment meets your needs, CyberSheath has the resources to help keep your applications secure.

What you needHow CyberSheath can help
On-PremYour on-premise applications need to be just as secure as apps in the cloud.Depending on the way your application functions (homegrown code, services, scheduled tasks, IIS services), the CyberArk Enterprise Password Vault (EPV) has a feature for you. EPV is designed for:

  • Managing secrets.
  • Rotating passwords and keys.
  • Allowing humans and applications to fetch them for authorized tasks.
Your on-prem apps are developed on a platform like Java or C++.CyberArk’s Application Identity Manager can help. An agent, which serves as a credential provider, is installed on the local host. It:

  • Communicates between the application and the Vault, serving up the password each time it’s needed.
  • Is designed for high transaction volumes, and high availability.
  • Allows for seamless credential rotation with zero downtime.
  • Challenge: Agent workflow and management can be cumbersome.
Your on-prem applications rely on less hardcore code, but more scripting and basic Windows functions.The built-in remote management features of the Central Policy Manager are a good alternative.

  • Scheduled tasks, services, and IISAppPools running under a specific user can have that user’s password rotated automatically.
  • Challenge: Configuring the workflow for this is where most app teams get hung up.
Internal CloudYour apps running on an internal or private cloud tend to be less risk-oriented. These apps generally require faster deployment, have shorter return to operations (RTO) requirements, and need to be semi-elastic.CyberArk’s Central Credential Provider (CCP) is one recommended approach.

  • It allows app teams to make simple code changes.
  • Instead of an agent installed on a semi-elastic device, a web service call is made to retrieve the credential.
  • Identity can be established with a number of machine characteristics, in addition to client certificates.
  • Challenge: It can be difficult to define a clear and repeatable process to register applications and issue certificates to them.
“The Cloud”Your applications running on cloud infrastructure (a.k.a. the public cloud) generally require extremely high availability and elastic growth on demand.

Provisioning applications’ access to secrets at such quick speeds is challenging, which is why many organizations are hesitant to put apps in the cloud.

CyberArk’s Conjur, which is a DevOps security platform designed for cloud computing, can help.

  • As a cloud application itself, it conforms to the highly elastic nature of cloud applications.
  • It uses the concept of machine identity to establish trust that your app is who it says it is.
  • Using web calls (similar to CCP), Conjur serves up secrets to authorized applications.
  • No configuration is required for a new app instance. It’s built, has its authorizations, and it’s on its way.
  • Challenge: It’s not easy to create a system to import secrets or to build a methodology for developers to code in Conjur during their build process.

Contact CyberSheath to learn how we can help your organization secure your applications.

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO

CMMC CON 2022 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.