The Modern Age of Applications
Applications are the heart of most organizations. While you can think of data as the nouns of an organization’s story, applications are the verbs where the action takes place and the real work gets done. And the nature of those applications is changing dramatically - including everything from how they are developed, to how they are accessed, to how they are secured.
Virtually all enterprise applications and assets have become web-facing in some form whether as traditional web-applications, cloud applications, APIs, or legacy apps accessed through web interfaces. These applications are being continuously developed and delivered at unprecedented speed, and are constantly being probed and attacked by human and automated threats. A large part of an organization’s health and competitiveness will be determined by how well they can balance the benefits of these new approaches to applications while balancing the risks.
To this end, we are dedicating a series of blogs to look at some of the key trends and challenges facing application security today, and how security teams can not only adapt but lead the change. In this first blog, we are going to dive into understanding the major changes to the application landscape and what it means for security. In future blogs, we will explore the threat landscape and key requirements for delivering application security that is both highly reliable and automated. So without further ado, let’s jump in and see how applications themselves have and are continuing to change.
Shifting to a Web-by-Default Model
Over the past decade, most organizations have fundamentally changed how they deliver and access applications. Internally hosted applications have given way to web and cloud-based applications by default, and monolithic application architectures are shifting to microservice architectures. Even older, legacy applications are often accessed via a web-based portal or run as microservices. While these changes bring immense value to the enterprise, it puts new pressures on security teams to adapt.
The Impact on Security Teams
The first issue is simply how to get security coverage to large numbers of applications as they migrate to the web. Traditional web application firewalls (WAFs) have been notoriously time-consuming to manage and support. Even in the best scenarios, security teams often only have the time to support their top few applications with a traditional WAF.
As applications move to the web by default, this turns a bad situation into a potential disaster. And this brings up a very basic and obvious requirement for application security - it must be automated, reliable, and proactive. Staff can’t be required to constantly tune signatures and rules. Application security solutions have to step up to the plate and start doing their job of actually protecting applications.
Security teams also can’t afford to constantly chase down random anomalies or respond to alerts with manual IR-style investigations. The massive scale of Internet-based threats is so large that any heavy reliance on manual responses will quickly overload a team. Web-facing applications are, by nature, accessible from anywhere, and likewise are directly exposed to “anyone and anything” on the Internet. In principle, any adversary, criminal, or bot on the Internet is allowed to interact with the application. The more adversaries have access to the application, the more likely that weaknesses are going to be found. Once again, this puts a premium on security that is automated, accurate, and active.
These are just some of the important ways that changes in the application landscape are affecting security. As applications and technology evolve, security will likewise need to adapt. This is just the first of a multi-blog series that will explore and detail this shift in application security. In the next article, we will address how changes to application development and structure have impacted security teams, including the rise of DevOps and the shift to microservice architectures.