A Belt-and-Suspenders Approach To Application Security

By Timothy Liu, CTO and Co-Founder, Hillstone Networks

In recent years, the pandemic and other forces have led to drastic changes in the way we work. The distributed workforce has become far more common, resulting in an increased dependence on software and applications to allow remote workers to conduct their tasks. The simultaneous shift by businesses to digital transformation has contributed to this evolution, although the mass shutdowns of the pandemic were most likely the key driver of much of the distributed workforce trend.

Business applications have become very diversified to accommodate varying needs, and may be deployed as locally hosted software, software-as-a-service (SaaS), or cloud-native or microservices-based applications. Integrating applications and associated application data and microservices is usually accomplished via application programming interfaces (APIs), which act as an interface and allow interoperability.

The explosion in public-facing application usage, however, has not been overlooked by cybercriminals. Applications and their APIs are an appealing focus point for the bad guys seeking to exploit sensitive financial and personal information. Application security is further complicated by the sheer diversity of deployment models and the multiple attack surfaces and potential vulnerabilities presented by the applications themselves.

Given the risks posed by attacks on applications, it is common for security teams to use multiple layers of security beginning with the development phase and continuing through to local and cloud deployments. This ‘defense in depth,’ or lifecycle-state system for application security can layer defenses for improved protections across the board.

The Trend Toward Shifting Left in Development

A relatively recent strategy, ‘shifting left’ refers to placing more responsibility and resources for application security into the application development phase. (Side note: This phase is usually shown at the left side of application work flow drawings, thus the name.) Sometimes known as AppSec, DevSec, or DevSecOps, shift-left tactics often consist of security auditing and vulnerability scans to help confirm compliance with certain development standards. In addition to the basics, development teams will sometimes use human or automated penetration tests and scans, both for unauthenticated and authenticated use cases, to identify vulnerabilities that other tests could overlook.

Designing the strategy for shifting left strategy can be a real juggling act, though. Pushing accountability for security to the developers themselves can significantly delay speed of development processes. On the other hand, delegating these responsibilities to a security team results in their reliance on developers to remedy any issues revealed by security testing. More and more, automation-assisted tests are coming into play; however, dependence solely on automation can bring risks of its own.

Ultimately, organizations will have to find the sweet spot for development-phase security testing to uncover hidden vulnerabilities and lapses in security postures without unduly impacting the DevOps production timelines.

Layering Security in Deployment

Although improving security processes at the development level is vitally important, ensuring a robust security posture in application deployment is every bit as crucial. In the field, Web Application Firewalls like Hillstone Networks’ W-Series WAFs are commonly used to provide application security. Most WAFs will defend against the OWASP Top 10 list of application vulnerabilities at minimum; more advanced WAFs provide semantics analysis and context awareness that can help reduce false positives and block unknown threats and attacks.

A number of WAFs also offer extended defenses against DoS and DDoS attacks at OSI Layer 3 and can protect against botnet and similar threats. Increasingly, advanced WAFs have the ability to verify APIs using industry standards such as OpenAPI, which serves as a crosscheck for security testing done by DevOps teams. If any errors or vulnerabilities in the APIs are detected, the WAF can construct security policies to defend against potential API attacks or misuse.

In and of itself, a WAF typically encompasses multiple protective techniques that could be considered a layered defense. However, another type of solution known as server protection is often combined with a WAF for additional protections and improved visibility. Server protection products such as Hillstone’s sBDS offer broad security for web, application, and other servers by detecting anomalous actions and potential advanced persistent threats (APTs). Server protection might utilize deception techniques, artificial intelligence and correlation analysis to identify Indicators of Compromise (IoCs) and take autonomous actions to intercept them.

A WAF might also be combined with an Application Delivery Controller to gain higher application availability as well as a first line of application defense. In addition, an ADC like Hillstone’s AX-Series has the ability to decrypt and re-encrypt HTTPS traffic to relieve a great deal of the processing load for a WAF. Called SSL offload, this capability can greatly WAF throughput and overall performance.

Focused Defenses for the Cloud

For public, private and hybrid cloud architectures, the standards for application security are very similar to other deployment types. WAFs, server protection and ADCs are all offered in cloud-based versions; however, cloud apps differ in terms of their transitory nature and mobility. This can make security cloud-based applications infinitely more challenging, but cloud workload protection platforms (CWPPs) are specifically designed to address the demands of cloud deployments.

A CWPP, such as Hillstone’s CloudArmour, offers a unified dashboard that displays the security posture of cloud clusters and hosts, providing granular visibility of probable vulnerabilities, but importantly, the connections between and relationships of cloud applications within the environment. This consolidated dashboard allows admins to quickly identify applications that may be vulnerable to attack, and to visualize unusual traffic, unsafe user or application actions and other IOCs. This deep and actionable visibility lets security teams recognize risks and adjust security mechanisms to better secure the cloud architecture.

CWPPs may offer micro-segmentation technologies to observe east-west traffic for suspicious actions. For example, unauthorized lateral movement between applications and hosts can be indicative of APTs like botnets and other attacks. Application and contextual awareness through AI and machine learning allow a CWPP to precisely identify and prevent potential threats with minimal false positives.

Caveats

While the technologies and methodologies described in this article have been shown to improve app security postures, each security practitioner and organization is likely to have distinct priorities and  philosophies. A robust, layered defense usually develops over time rather than all at once. Without a doubt there will be a staff training and learning gap to overcome with any new security technique or technology.  In addition, security technologies themselves normally need a period of time in which to ‘learn’  normal traffic and usage patterns so as to differentiate standard and valid traffic from indicators of attack or compromise.

With that said, the growing reliance upon applications by organizations of all sizes, and the burgeoning cyberthreat landscape, requires a multi-phase, multi-layer security approach that spans from application development to deployment, wherever the application will reside.

 

About the Author

A Belt-and-Suspenders Approach To Application SecurityTimothy Liu is Co-Founder and Chief Technology Officer of Hillstone Networks. In his role, Mr. Liu is responsible for the company’s product strategy and technology direction, as well as global marketing and sales. Mr. Liu is a veteran of the technology and security industry with over 25 years of experience. Prior to founding Hillstone, he managed the development of VPN subsystems for ScreenOS at NetScreen Technologies, and Juniper Networks following its NetScreen acquisition. Mr. Liu is also a co-architect of the patented Juniper Universal Access Control and holds an additional patent on Risk Scoring and Risk-Based Access Control for NGFW. In his career, Mr. Liu has served in key R&D positions at Intel, Silvan Networks, Enfashion and Convex Computer. He Liu holds a Bachelor of Science from the University of Science and Technology of China and a Ph.D. from the University of Texas at Austin.

Tim can be reached online at @thetimliu  and at our company website https://www.hillstonenet.com/

October 13, 2022

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!

X