IT security specialist Rohde & Schwarz Cybersecurity is taking innovation and automation one step further by launching R&S® Trusted Application Factory, spearheading its strategy to secure tomorrow's applications by helping and supporting DevSecOps teams.
Munich, October 8, 2020 – In the past, the creation of software took about a year on average of development before being commercialized. Today, many organizations are adopting a continuous integration and deployment approach. Now, the cycle has become shorter, thanks in particular to DevOps, which relies on automation and the pooling of complementary skills to increase the added value and responsiveness of companies.
The Rohde & Schwarz Cybersecurity strategy aims to help DevOps teams integrate application security right from the design phase, by integrating control capabilities within their APIs and applications. Rohde & Schwarz Cybersecurity has been offering Web Application Firewall (WAF) technologies for about twenty years. The company now makes its technologies consumable by developers. It offers tools that integrate into the environment and tools already existing and that use the same languages and technologies of the DevSecOps universe. It is in this context that Rohde & Schwarz Cybersecurity is launching R&S® Trusted Application Factory.
Putting security at the heart of applications
R&S® Trusted Application Factory is a solution for DevOps teams with the objective of providing security, simplicity and visibility.
- Security: By integrating security as close as possible to the application, it is possible to define more precise and relevant security. This security layer is deployed as a micro-WAF with the application so that it can be scaled up or upgraded at the same time as the application. The very fact of including the security configuration within the application code itself makes it possible to keep the security permanently up to date and aligned with the version of the application.
- Simplicity: To simplify collaboration, the security solution must be integrated into the DevOps teams' universe. Thus, the same tools, languages and concepts must be used.
- Visibility: It is necessary to provide visibility to the various users and managers: developers, infrastructure and security. R&S® Trusted Application Factory tracks the application from design to production execution, providing indicators on its security throughout its lifecycle.
The R&S® Trusted Application Factory application security service is deployed as a container for each application. This container can therefore "evolve" at the same time as the application in Kubernetes or Docker clusters. It can therefore automatically adapt to the application load. It also accompanies the application and can be deployed on-demand as well as on the private or public cloud. All the services are managed from a SaaS administration console, which enables the security of the various applications to be monitored.
The solution is based on the concept of "Context Description" to improve the level of security. Indeed, the data specific to each application and available to the development teams are essential for the configuration of security. The type of persistence used, the programming language, the server operating system and the data formats make it possible to automatically adapt protection policies by invoking the appropriate engines. By taking all these elements into account, increased security and a reduced risk of false positives is achieved.
R&S® Trusted Application Factory goes one step further by providing context for each resource: the pages of a web application or the end points of the REST APIs. The DevSecOps team can specify the format, the maximum size of requests and responses, and the behavior of the page using the Open API schema extension, which offers the possibility to document the APIs very precisely.
R&S® Trusted Application Factory is now available with a version designed to launch pilot projects from the development phase to production. It integrates key concepts such as: Context Description, the micro-WAF service as a container, the definition of security exceptions in the application code and service tracking. All these functionalities will be constantly enriched to take into account the feedback from the DevSecOps teams.
"We are innovating with the micro-WAF concept. The idea is to have a WAF as small as possible. The advantage of micro-WAF is that the application will be more easily updated and more scalable. The whole system can be administered from a SaaS console without the customer needing to manage all the administration actions. The DevSecOps team no longer needs to go into the functional depth of the WAF since the contextual information is automatically translated into security policy, which is automatically adapted in the work environment,” explained Dr. Falk Herrmann, CEO of Rohde & Schwarz Cybersecurity. "By offering innovative tools that adapt to the challenges and needs of developers, Rohde & Schwarz Cybersecurity supports the digital transformation while guaranteeing strong security for all the tools used by companies.”