This content is part of the Essential Guide: How to craft an application security strategy that's airtight

Application layer security puts up another obstacle for hackers

Hackers will exploit any entrance to enterprise data they can find. Make sure to erect more than just a network-level fence to ensure nobody crashes the data party.

New hacking methods are forcing operations to rethink the traditional, network-level method of keeping confidential data safe. The penalty for ignoring these dangers can be severe.

Historically, IT security policies focused on keeping people out. Enterprises put significant time and money into network-based security, using firewalls and intrusion prevention systems. These products examine incoming network traffic, look mainly for known attacks and put various checks in place to thwart hackers. Lately, this technique hasn't worked well.

Protecting data has become more complex, and firms are moving toward application layer security. While new tools take on this work, plenty of holes remain.

Securing a new layer

The rise of automation and analytics is perhaps the most important trend to watch across all of security, including application security.
Dale Gardnerresearch director at Gartner

High profile break-ins at sophisticated organizations, such as Yahoo and Verizon Enterprise, have illustrated that hackers can circumvent network barriers if they desire.

Hackers have expanded focus to breaching systems at the application level where, traditionally, security has been minimal to nonexistent.

"While there are pockets of understanding inside corporations, in general, application level attacks are not well understood," noted Tim Jarrett, senior director of product marketing at security solution-provider Veracode in Burlington, Mass.

Attackers gain control of system resources via an array of methods, including cross-site scripting attacks, cookie poisoning, hidden field manipulation, SQL injections, Google hacking, buffer overloads, directory traversal and lightweight directory access protocol injections.

Application layer security tools are emerging in response to new threats. IT pros deploy web application firewalls (WAFs), security systems designed to protect applications from malware. A WAF examines input to and responses from a web application to detect and block potential exploits.

WAFs have evolved to become more functional and easier to deploy over product generations. They are the most common application layer security system.

WAF suppliers include Barracuda Networks, Cisco Systems, Citrix, CloudFlare, F5, Fortinet, Imperva, ModSecurity, Qualys, Radware, SecureWorks and Trustwave Holdings.

Testing code

Businesses are baking security into applications during the development process.

"Identifying a security flaw in development is much less expensive than doing it once the application is running," stated Nathan Wenzler, chief security strategist at AsTech Consulting, a cyber-risk management firm in San Francisco.

In static analysis, security software examines code without running it. It analyzes source code, identifies locations where vulnerabilities may exist and outlines potential fixes.

Dynamic analysis is another option wherein the IT team tests and evaluates application security while compiling the software. Dynamic analysis tools pepper the application with attack scenarios to detect vulnerabilities.

Dynamic application security tool vendors include AsTech Consulting, Checkmarx, Hewlett Packard Enterprise, IBM, Qualys, Synopsys, Trustwave, Veracode and WhiteHat Security.

What's next?

A few new application level security techniques are emerging. Runtime application self-protection (RASP) embeds security software into the application to detect and prevent possible attacks.

RASP is used by a small but growing number of organizations, according to Dale Gardner, a research director at Gartner.

Analytics are also gaining traction, giving IT organizations real-time information on attacks. Rather than rely on static lists of known vulnerabilities, they monitor system behavior. When anomalies arise, they identify and sequester potential security breaches.

Real-time attack analytics capabilities come from vendors such as Alert Logic, Blue Coat Security, Cisco, Dell EMC, Juniper Networks, FireEye, Hexis Cyber Solutions, LightCyber and Sumo Logic.

It is a time-consuming, complex, tedious and error-prone task to monitor all of the activity occurring on large networks with thousands of devices running a variety of programs. Consequently, suppliers are incorporating artificial intelligence and machine learning into their security analytic solutions.

"The rise of automation and analytics is perhaps the most important trend to watch across all of security, including application security," Gardner said.

Corporations are also developing best practices around application level security. Firms are training developers in secure coding practices. The developers focus on testing applications to identify weaknesses and vulnerabilities. Simple, common sense steps, such as keeping software updated by deploying new security patches in a timely manner, protect against breaches.

Security hurdles still exist

Organizations face challenges in securing applications. Software is becoming more modular, which makes it more difficult for companies to create secure code. Increasingly, enterprises rely on software, often open source software, written and tested by a third party or parties. When firms weave these components into their applications, they assume the external components are secure, but often they are not, according to Wenzler.

While application layer security interest is rising, most organizations still do not bake it in during development. Why isn't security testing during development more popular?

The tools can be expensive. While some testing tools are open source, the price for commercial products can reach as much as $1 million, according to Kasey Cross, director of product management at LightCyber, which sells a behavioral attack detection platform. With IT budgets increasing at rates of a few percentage points per year, operations personnel have trouble justifying such purchases.

New security checks can negatively impact the development process. "There are tradeoffs between securing applications and businesses' desire to deliver software ASAP," Jarrett noted. In fact, Gartner found that about 80% of organizations are concerned that information security policies prevent them from achieving the level of agility that DevOps promises.

Businesses and hackers are engaged in a game of leapfrog. Recently, the bad guys have turned their attention to application layer attacks. Businesses are responding to the threat, but in some cases not as aggressively as necessary.

Next Steps

Security is one of three universal DevOps challenges

How to approach secure DevOps

Tools to fight hackers in a DevOps shop

Dig Deeper on Configuration Management and DevOps