Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Adopt Insertion Point Security for a Microservices World

In the old world, applications generally consisted of a web server, an app server and a database. Traffic went from router to switch to firewall. There was a network perimeter, which was our ingress. 

In the old world, applications generally consisted of a web server, an app server and a database. Traffic went from router to switch to firewall. There was a network perimeter, which was our ingress. 

That was then, this is now. With the cloud, containers and microservices, we’re navigating an environment that includes clients, proxies, web servers, app servers, ingress controllers, containers, sidecars, and a range of microservices performing more and more specialized functions—a whole world purely intrinsic to applications. The complexity involved in the presentation of an app today rivals that of the internet itself 10 years ago. 

In an attempt to describe the security priority for this reality, the industry has been saying that “the app is the new perimeter.” But that description fails to capture the scope and sophistication of what’s really going on. 

Applications have been deconstructed to the point where we need to think about them with a new level of abstraction to understand how security needs to evolve. All of the layers and components that go into an application create insertion points for app security, and as a collective whole, those application insertion points are the new perimeter.  

With that in mind, securing an app today is not like building a fortification around your asset—it’s more like shooting a rocket into space. There are thousands of possible components and permutations, and a failure at any point could cause its own unique consequence. The app equivalent of a faulty ignition circuit could mean the rocket sits idle on the launch pad until it’s fixed. And something as similarly minor as a frozen O-ring could have disastrous ramifications. 

Adding even more layers to this situation is the fact that most organizations were not born yesterday. They’re running applications built on technologies that span their organization’s history, with some decades-old technologies working alongside modern DevOps apps. 

In many cases these multi-generational apps may be dependent on each other as part of the same business function. Think of the labyrinth of processes and touchpoints involved in shipping a package from Branson, Missouri, to Barcelona. The package must interact with a wide variety of scanners, scales, apps, tracking services and payment systems, across offices and warehouses supported by sometimes dramatically different technologies. 

To truly understand your application and the risks to it in such an environment, a comprehensive Failure Mode Effect Analysis approach is required, just as it would be for a major mechanical system. You have to look at the sum of all the parts to understand an application and its effect on a business process—and you have to look at every single permutation of interactions across that process, because the smallest component failure could cause the entire system to fail. 

Advertisement. Scroll to continue reading.

This kind of analysis allows you to evaluate the likelihood of a particular failure and its potential severity. Determining which security measures are critical will depend on the particular insertion points your application has. Each insertion point will require a distinctly different policy, since the context of each component is different. Yet appropriate security must be implemented for every insertion point for every application across the entire business process. 

The key to appropriately applying security across the entire system is to stretch out the application structure and look at all insertion points as those applications evolve. Ideally this could also involve building a risk dashboard that enables visibility into all of the various risks, taking into consideration how modern a particular application is and what components it leverages.

It’s important to remember that, even as organizations move to a modern DevOps model and build more and more apps “to the left,” they will continue to build and maintain more traditional apps to the right. Companies that fall the farthest to the left happen to be dealing with threats associated to Kubernetes and sidecars and containers. And the ones building to the right are still dealing with those old-school perimeter challenges and vulnerabilities that exist within the application, the network and the perimeter. 

Mastering the ability to address all those threats, and to insert security in every tier within your applications, is the next frontier. The application insertion point is the new perimeter.  

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.