Cloud Security Authors: Elizabeth White, Zakia Bouachraoui, Pat Romanski, Liz McMillan, Yeshim Deniz

Related Topics: Cloud Security

Cloud Security: Blog Feed Post

Predicting the Future, or Counting on Code-based Security

As long as we have applications being developed and deployed, it seems we will have bad guys looking to exploit them

There are some topics that warrant the occasional revisit as time goes on, and application security is certainly one of those. As long as we have applications being developed and deployed, it seems we will have bad guys looking to exploit them. While I do believe that the Internet, like the Old West, will eventually need to be cleaned up and a set of common rules enforced, still there will be bad-guys, some people never learn that you can’t just do whatever you want and expect to get away with it.

So we need application security. At this point, I cannot imagine a web app being deployed without it in one form or twenty. Developers have gotten more astute (in general) about securing their code over the years, and the tools they have available to discover vulnerabilities have gone way up in quality since the 90s. And yet, our systems are still being compromised. There are a lot of reasons for this situation, and others have covered it much better than I have.


What seems to keep cropping up is the expression that somehow, even though our systems are being compromised, useful tools like Web Application Firewalls are not wanted or needed in the enterprise. This line of  dubious logic seems to run along the lines of “if your developers are doing their job, you don’t need such a thing”.

Wouldn’t it be nice if that were true? How about “if the people built your car right, it should never break down”. Does that sound reasonable? No? Well, it’s essentially the same situation. The external environment – attack vectors, tools hackers use, your partner’s security, etc. are constantly changing. The developers are writing security for the now – when the application is developed – and might (or might not, depending upon how much time you give them) update it when next they touch the code. And that’s reality. The bad guys are constantly improving, your code is static, no matter how well crafted.

But a Web Application Firewall is a specialty product whose purpose is to help stop the bad guys. It does not relieve your developers from the need to lock down their code, it should be written as bullet-proof as possible, because defense-in-depth is a real boon to information security. A Web Application Firewall does add defense in depth, and the security it adds is more than just “another layer of the same”, because it can be updated independent of your developers’ time. Save as many of your developer hours as you can for developing the applications that make the business money, let the Web Application Firewall vendor worry about updating the security bit to stop the attack of the week. Seriously. It’s a lot quicker to update a Web Application Firewall on a regular basis than it is to develop specialty code for each and every attack vector. And many times because of its location a Web Application Firewall can stop attacks that it doesn’t actually know about because they have suspicious behavior.

Image from reenactor.net


By filtering out a ton of attacks before they ever make it to your application, a Web Application Firewall is effectively reducing the exposure of your application. And that means less worry for everyone – you, customers, developers, senior management.

Like everything, it’s not a panacea, and the vendor you choose will have an impact on how well your applications are protected (fair disclosure, F5 sells a Web Application Firewall named Application Security Manager – ASM), but choosing carefully can give you easy and seamless protection against an array of attack vectors. The array pun was intended, for if your WAF protects against N vulnerabilities, it does not protect against number N+1. Sorry, geek humor.

The one gotcha is that you have to make sure of your vendor and your configuration. If your Web Application Firewall interrupts your applications, then it’s as much problem as solution. There are stories about how bad this and configuration can be. Lots of stories. Remember that the industry is well over a decade old, and those stories are from the bad old early days. Do some current research, don’t get sucked under with the tide.

There are a variety of other reasons why Web Application Firewalls are useful – like the fact that they have a different view of attackers (across the network) than your application developer who cannot do too much in terms of proactive defense, since his code is static – but the big one to me is reducing your exposure without increasing the manhours required to develop each and every application. And frankly, Web Application Firewalls also protect those applications developed by a third party that you may or may not have source code for, may or may not have a developer familiar with. That’s a big hit in and of itself.

Image (indirectly) from AutoDataSolutions.com

So if you’ve heard a talking head discussing how Web Application Firewalls are not of any use, or aren’t strictly needed (technically they’re not, but neither is a car, technically, you could walk everywhere), consider if  they’ve ever done web development, infosec, or read PCI DSS. Chances are anyone making such a claim has not done any of the three – or not done them well.

Read the original blog entry...

More Stories By Don MacVittie

Don MacVittie is founder of Ingrained Technology, A technical advocacy and software development consultancy. He has experience in application development, architecture, infrastructure, technical writing,DevOps, and IT management. MacVittie holds a B.S. in Computer Science from Northern Michigan University, and an M.S. in Computer Science from Nova Southeastern University.

IoT & Smart Cities Stories
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to great conferences, helping you discover new conferences and increase your return on investment.
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use of real time applications accelerate, legacy networks are no longer able to architecturally support cloud adoption and deliver the performance and security required by highly distributed enterprises. These outdated solutions have become more costly and complicated to implement, install, manage, and maintain.SD-WAN offers unlimited capabilities for accessing the benefits of the cloud and Internet. ...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
SYS-CON Events announced today that Silicon India has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Published in Silicon Valley, Silicon India magazine is the premiere platform for CIOs to discuss their innovative enterprise solutions and allows IT vendors to learn about new solutions that can help grow their business.
DXWorldEXPO LLC announced today that "IoT Now" was named media sponsor of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. IoT Now explores the evolving opportunities and challenges facing CSPs, and it passes on some lessons learned from those who have taken the first steps in next-gen IoT services.
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT staff augmentation services for software technology providers. By providing clients with unparalleled niche technology expertise and industry experience, Chetu has become the premiere long-term, back-end software development partner for start-ups, SMBs, and Fortune 500 companies. Chetu is headquartered in Plantation, Florida, with thirteen offices throughout the U.S. and abroad.
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.