Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Adopt Insertion Point Security for a Microservices World

In the old world, applications generally consisted of a web server, an app server and a database. Traffic went from router to switch to firewall. There was a network perimeter, which was our ingress. 

In the old world, applications generally consisted of a web server, an app server and a database. Traffic went from router to switch to firewall. There was a network perimeter, which was our ingress. 

That was then, this is now. With the cloud, containers and microservices, we’re navigating an environment that includes clients, proxies, web servers, app servers, ingress controllers, containers, sidecars, and a range of microservices performing more and more specialized functions—a whole world purely intrinsic to applications. The complexity involved in the presentation of an app today rivals that of the internet itself 10 years ago. 

In an attempt to describe the security priority for this reality, the industry has been saying that “the app is the new perimeter.” But that description fails to capture the scope and sophistication of what’s really going on. 

Applications have been deconstructed to the point where we need to think about them with a new level of abstraction to understand how security needs to evolve. All of the layers and components that go into an application create insertion points for app security, and as a collective whole, those application insertion points are the new perimeter.  

With that in mind, securing an app today is not like building a fortification around your asset—it’s more like shooting a rocket into space. There are thousands of possible components and permutations, and a failure at any point could cause its own unique consequence. The app equivalent of a faulty ignition circuit could mean the rocket sits idle on the launch pad until it’s fixed. And something as similarly minor as a frozen O-ring could have disastrous ramifications. 

Adding even more layers to this situation is the fact that most organizations were not born yesterday. They’re running applications built on technologies that span their organization’s history, with some decades-old technologies working alongside modern DevOps apps. 

In many cases these multi-generational apps may be dependent on each other as part of the same business function. Think of the labyrinth of processes and touchpoints involved in shipping a package from Branson, Missouri, to Barcelona. The package must interact with a wide variety of scanners, scales, apps, tracking services and payment systems, across offices and warehouses supported by sometimes dramatically different technologies. 

To truly understand your application and the risks to it in such an environment, a comprehensive Failure Mode Effect Analysis approach is required, just as it would be for a major mechanical system. You have to look at the sum of all the parts to understand an application and its effect on a business process—and you have to look at every single permutation of interactions across that process, because the smallest component failure could cause the entire system to fail. 

This kind of analysis allows you to evaluate the likelihood of a particular failure and its potential severity. Determining which security measures are critical will depend on the particular insertion points your application has. Each insertion point will require a distinctly different policy, since the context of each component is different. Yet appropriate security must be implemented for every insertion point for every application across the entire business process. 

The key to appropriately applying security across the entire system is to stretch out the application structure and look at all insertion points as those applications evolve. Ideally this could also involve building a risk dashboard that enables visibility into all of the various risks, taking into consideration how modern a particular application is and what components it leverages.

It’s important to remember that, even as organizations move to a modern DevOps model and build more and more apps “to the left,” they will continue to build and maintain more traditional apps to the right. Companies that fall the farthest to the left happen to be dealing with threats associated to Kubernetes and sidecars and containers. And the ones building to the right are still dealing with those old-school perimeter challenges and vulnerabilities that exist within the application, the network and the perimeter. 

Mastering the ability to address all those threats, and to insert security in every tier within your applications, is the next frontier. The application insertion point is the new perimeter.  

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...