In IT circles, we often hear -- and preach -- about the benefits of using layered security defenses to minimize information risks. After all, having layered security is a core tenet of information security dating back several decades to the origins of IT.
There are layers at the endpoint, layers at the network perimeter and, today, layers out to mobile and into the cloud. That's what's needed for a secure network, right?
Yes, generally speaking. However, in terms of application security, layered security can come up short in the areas of visibility and control -- especially when they're not properly implemented, which is often the case.
I've tested many web and mobile application environments over the years, and it doesn't seem to matter whether strong network security controls are in place. Even the best filtering and blocking technologies can't prevent application vulnerabilities from being exploited. This is largely due to the way SSL/TLS encryption can mask communication streams. Compensating controls often miss the obvious because they have no insight into what's happening in those streams.
Even if attacks can be seen, exploits can be carried out via a good old-fashioned web browser or HTTP proxy to make it look like legitimate traffic. It's easy to assume that application attacks are going to generate a lot of noise, like denial-of-service attacks do, but that's not true. It is one thing to detect and block automated web vulnerability scans, but quite another to prevent web traffic that looks like everything else, especially if it's coming from a trusted user whose login credentials have been compromised.
For example, SQL injection is a very common application security flaw. However, it can be extremely difficult to detect and prevent without the most granular of controls that only a web application or next-generation firewall could offer.
Furthermore, based on my experience, most browser-to-server-based SQL queries run over SSL or TLS. The problem is not that the communication session is encrypted, but the fact that they're even allowed in the first place; there's very little that traditional network security controls can do to detect or mitigate such an exploit. The same goes for webpages that are vulnerable to malware injections because, unless malware protection is running on the server itself, the injection will likely go undetected.
There's a myriad of other technical security flaws in both web and mobile platforms that can be carried out in plain sight. These vulnerabilities can remain undetected for weeks or months, if not indefinitely. Looking at the soft side of application security, such as business logic, password policies and login mechanisms, there's little that can be done about these threats in terms of proactive prevention and response.
This highlights the importance of rooting out security flaws by other means, namely secure coding practices combined with proper vulnerability and penetration testing. You can have the best web application firewall, IPS or managed security service in place, but those mean nothing at layer 7 when they are poorly managed, and I'm not sure that will ever change.
A broad range of controls that serves to enhance visibility, alerting and real-time blocking can certainly benefit your application security efforts, but don't let it create a false sense of security, and know that traditional security controls will likely be insufficient for application security as a whole. On the other hand, software flaws need a different kind of attention -- you should know your application environment and where it's vulnerable, as the odds are good that there are some unique gaps that remain unaddressed -- layered security or not.