Security Experts:

Build Your Immunity Across All App-Security Insertion Points

Years ago, I worked on a consulting project for a large financial services company, which had recently invested $20 million into their core offering, a managed services platform for financials that was used by hundreds of customers. 

We did a Failure Mode Effect Analysis for them, looking at every component making up the major service—every app, every piece of infrastructure supporting each app, every business process, every development and IT process—and every permutation of interactions across that entire stack. 

As it turned out, the routers they were using for each of their dedicated customers were end of life, which we flagged as an issue. Sure enough, all of those routers came up with a bug that turned into a nasty illness. It took down the entire infrastructure and none of the firm’s customers could access their financial systems to process invoices, make or receive payments, initiate new purchases. Suffice to say, it was a catastrophe.  

The fact that a $20 million service could be taken offline by a $1,000 part goes to show that any system is only as strong as its weakest link and its associated app security insertion point. Major applications today are so complex they rival living organisms, with security acting as an immune system. Infections can come from anywhere, so you have to be looking everywhere, and defending everywhere too. 

The modern world of apps is one of almost baffling heterogeneity in terms of the array of products, services and vendors surrounding every tier of the application ecosystem. Companies have been transforming digitally for decades, and most have a mixture of old and new technologies, from physical servers to microservices, with a variety of clouds and a multitude of vendors. 

A major SaaS application can rely on many different component apps to achieve its outcome. It can be leveraging legacy applications built on COBOL alongside modern apps in containers and sidecars. Each of those applications follows a data path with multiple physical and process components. And along that data path, every piece of hardware, every integration, every API, every process, as well as the applications themselves, all of them are potential targets. 

So to secure applications effectively, we have to keep the whole organism in mind. The physical infrastructure for those legacy apps isn’t going away. Every piece in the stack remains a critical insertion point for app security. We’re still seeing many attacks against DNS services and Transport Layer Security, for example. Hackers are targeting the DNS to hijack web traffic, to gain access and change DNS functionality, to route site visitors through fraudulent DNS servers, or even take over the DNS entirely, rendering the site unreachable and routing traffic to any number of nefarious properties. 

Similarly, access-related attacks remain popular. By far the most common such attacks involve phishing and social-engineering—those decades-old techniques to dupe users into giving up their information—but brute force attacks against passwords and credential stuffing are also common. 

While those tried-and-true vectors are as relevant as ever, the rise of apps has created a vast new topology. We’ve seen a dramatic increase in APIs in recent years, and their use in attacks has spiked correspondingly. 

APIs essentially function as a user interface for apps rather than users, providing the translation and interface layers that allow applications to leverage each others’ services. Some applications are essentially APIs herding microservices together to function as a single experience for the user. 

Part of the lure of APIs as a target lies in the fact that they run behind the scenes, meaning that breaches can more easily go undetected. APIs also frequently have access to many places that users wouldn’t be given access to, making them a higher value target. All this means that gaining more visibility into APIs and securing API gateways has become a higher priority than ever. 

Web app code is another critical insertion point. PHP is a server-side language that’s used in roughly 80 percent of sites across the web, including many of the largest web applications in the world. Its popularity alone makes it a huge target, and for the past couple of years PHP exploits have accounted for about two-thirds of published exploits. PHP has also been a factor in the explosion of Magecart formjacking attacks. 

When you think of the depth and breadth of this threat landscape in the age of apps, it’s clear we have to be taking a holistic health approach, accounting for every piece, from the DevOps process to the point that code reaches the customer—app and web servers, proxies, the API gateway, load balancers, DNS, DDoS, CDN, all the way to the client or browser itself. 

Any business outcome from an app relies on the entire organism. So build your immunity across every point—including those old routers.

view counter
Preston Hogue is Sr. Director of Security Marketing at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System. Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.