In this post, I want to compare the value and detection results of antivirus in datacenters, server systems, and SaaS environments to that of other security detection tools and techniques. Some people claim antivirus is only used and installed to meet audit and compliance requirements for certifications. At Oracle, the SaaS Cloud Security (SCS) team believes antivirus tools provide a necessary, clear defense in depth solution in SaaS environments. If you’ve been skeptical about the antivirus approach, read on.
Where does antivirus fit in the DevSecOps model?
In a production-based security infrastructure environment, antivirus can and should be specifically used in multiple phases: the build, operate, and monitor phases (as shown in the model below). I will describe each of them in the following scenarios.
Antivirus in the build phase
All binaries, executables, and files must be scanned and validated after they are compiled, built, and released. A malicious user, insider, or attacker in a development environment could willingly or stealthily inject malicious code at this phase in a production environment. It is also possible that a normal user in the development environment could have an infected or compromised machine with malicious software running on it that could affect the integrity of the system.
In addition, you might be using supplemental code, libraries, or binaries from external sources and third parties as you develop a component or application. It is critical that these get scanned and validated before they are used in a production system.
Antivirus in the operate phase
Some applications and services accept files, attachments, and other submissions as part of their user workflow or application functionality. These uploaded files can be a primary source of viruses and malicious code; therefore, they must be scanned, isolated, and/or quarantined as part of the overall system workflow before the content is accepted into the application.
is the recommended industry solution for performing scanning and detection offload from an application system in a standardized and scalable way. As one example, the Oracle SCS team deploys and manages a fault tolerant ICAP infrastructure in the Oracle Fusion application environment to provide such a service to our customers.
Antivirus in the monitor phase
Sometimes cloud-based systems and applications need maintenance, troubleshooting, or binary updates while in a production deployment—or new tools, drivers or other components need to be installed. You can use antivirus, in conjunction with other tools, to scan and detect malicious code, infected binaries, or malicious actions in this phase.
There are several critical checkpoints in a DevSecOps environment to use and monitor antivirus scanning and detection in a world-class SaaS Cloud deployment. Antivirus is just one tool used together with other techniques and systems to secure and protect a SaaS cloud environment in a defense in depth approach. This best practice is another great example of how the SaaS Cloud Security (SCS) team constantly plans and deploys the best security technology as part of the (ASCSS) infrastructure at Oracle.