Security Experts:

Collision Course: Keeping Up With Digital Complexity in an App-Enabled World

There’s no question the world is getting more agile. These days even companies in traditional brick and mortar industries, those luddites and laggards from the old school, are transitioning their business logic to web sites and apps. 

The complexity this causes can be staggering. If you’re wondering why we still see so many breaches today even as our security processes and technologies have become ever-more fortified, this is the shift you’re looking for. 

Applications have become the infrastructure of the internet. They are in everything from phones to thermostats, cars to power grids. And for every digital transformation enabled by apps, the application itself is a primary target, along with the business logic it supports and all its underlying data. 

For one thing, an app isn’t just an app anymore. To form an application environment, there are a significant number of components: a proxy, an app server, a web server, the ingress controller for the container environment. You might run within containers. You might have an SDK on the client side. The list goes on (and on). 

And what’s more, the way applications are built keeps changing. In addition to the rapid cadence of iteration and releases brought about by the shift to Agile and DevOps, there are always new APIs, languages and devices entering the picture. Since released, ThinkPHP has proved to be very popular with web developers, but in part because of that popularity, today we’re seeing a significant portion of breaches associated to PHP. 

And then there’s the underlying business logic. Until the computing revolution and the internet, business logic was manual and offline. Functions like HR and finance kept records and drove processes in documents and spreadsheets stored in filing cabinets. Today, with SaaS-based business applications like Workday and Salesforce, those records and file cabinets are online and those processes are vulnerable to manipulation. 

Examples of this are all around us. Beyond connecting friends across distances, Facebook is also a direct marketing application. It provides a way for companies and other organizations to reach thousands of people instantly. The “business logic” this is replacing used to involve a great deal of physical effort: direct mailers, door-to-door campaigns, advertising.

Any case of transformed business logic creates the potential for new avenues to exploit the system in ways that people never imagined. If a malicious entity were to obtain stolen records of Facebook users, and then apply that information to misuse the platform’s functionality…well, we’ve seen what could happen.  

Social media is just one well-known example, and it’s only scratching the surface of the types of compromises we’re likely to see in the years to come as our transition to a digital world accelerates. Flaws will exist in digitizing business processes, leaving them open to manipulation. People, being people, won’t always think through the possible consequences of turning those processes into applications. 

What kinds of exploits could there be for HR-as-a-service? How could good AI be manipulated to do bad things? How might a hack into an industrial control system disrupt a manufacturing process? Along with understanding the vulnerabilities in the actual application infrastructure, security pros need to be asking themselves these kinds of questions. 

So are we seeing more breaches? Yes, but it’s not because the security industry isn’t keeping up. It’s because the threats to applications have become so much larger. Along with the increasing sophistication, creativity and dedication of malicious actors, there are just so many areas to target. 

But at the same time, it’s not as if we’re trying to caution you to abstain from your own digital transformation and enabling your business through automation. The value to be gained from your application portfolio is just too great. The genie is out of the bottle. 

Just like the threat actors do, security pros need to adapt and keep pace. As you work to develop a new app or service, you have to anticipate that securing the system and protecting the business today is about much more than vulnerabilities in your code. You have to start thinking through how any new, digital business logic could be manipulated. And in today’s DevSecOps environments, you don’t have weeks or months to accomplish your threat modeling. 

The best way for the security industry to meet the challenge of modern applications and modern app development is to adopt a modern way of supporting those from a security perspective. 

view counter
Preston Hogue is Sr. Director of Security Marketing at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System. Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.