Is Having Too Many Apps Expanding Your Threat Surface?

Can you have too many apps? How many is too many? Do you even know how many you have or (yikes) who has access to them? A recent IDG study found that the average company has 1,742 apps, with about 60% of app development happening in house. With the volume of apps continually increasing, companies are striving for self-service, automation, and centralized management.

A Growing Threat Surface

Of course, applications are essential to running your business. Done well, they can make nearly any task or process faster and easier. But can you have too much of a good thing? Apparently, yes. IT operations professionals are having trouble keeping up with ever-changing application architectures, platforms and modern technology standards, and as a result, app security, visibility, and compliance are becoming more of a concern.

Certainly, a major shipping company found that to be the case. Even back when app proliferation wasn’t recognized as an issue, this shipping and office services giant assessed its application portfolio and realized it had more than 2,600 applications, the consequence of both a massive acquisition push and rapid growth. Equally concerning, it identified more than 14,000 custom interfaces to these applications. The threat surface area for so many applications is a huge risk for any business to wrestle with on its own, and that’s just one of the many significant risks that accompany this kind of application proliferation.

Risks And Fixes

Applications can now go from initial idea to proof of concept within weeks due to an extremely fertile app development environment. One of the consequences of this velocity is that responsibility for app development and deployment decisions—including those that impact security and compliance—have been shifting left towards developers and away from network and security professionals. While this is great for speed—unlocking latent innovation capacity and improving organizations’ competitive posture—significant security threats, compliance requirements, and operational concerns remain.

The new stakeholders prioritize cloud-native and low-cost open source options over more robust solutions managed by domain experts. This stems from a legitimate concern that dependence on other teams could introduce friction into the process, slowing the pace of innovation. However, common problems with this approach include security and management tool sprawl, lack of visibility into application performance, and significant challenges meeting regulatory compliance mandates. 

Security And Management Tool Sprawl

With around 87% of companies utilizing multi-cloud deployments, according to our 2019 State of Application Services Report, there’s a tendency to use whatever tools are available from the cloud provider. This means using multiple native interfaces to essentially solve the same problem, which results in running into issues with different capabilities, policies, and management interfaces, increasing risk to the business.

Add to that not only the sheer number of apps organizations are managing, but also the complexity of those apps, and the result is a greater threat surface—or area of potential security vulnerability—that enterprises like yours are facing. Today, you have to deal with different web frameworks such as node.js and HTML5, among others, and including application and web servers. Different browsers have access to different applications. With every added layer of complexity, there are more vulnerabilities, and more risk to manage.

So how do you manage this risk? By shifting your focus.

We’ve always been concerned about securing the network. But it’s time to focus on application security, too. Web application firewalls, in particular, are a common way of managing application security. That’s because the bad guys are targeting more than the network. After all, even with a secure network, if there’s a hole in an application, they’re in.

Take that shipping company as an example again. Anyone in the world can access the website for their shipping needs. That’s billions of people. Even if the network is completely locked down, the application could be the way in, since anyone is authorized to use it. So, their greatest risk would be with that application, not its carefully guarded network. For many companies, the application is the weakest link right now. And the hackers know it.

What you need to do is build standardized application services that can be federated globally without impeding innovation from decentralized developer teams. Embrace and enable automation to ensure that security is built in, with security policies defined and managed by experts in their field and stored as artifacts in source code repositories for use in CI/CD automation pipelines rather than hard coded or manually configured as an afterthought. To further (securely) speed application time to market, it’s critical that you only code what is needed and take advantage of reusable infrastructure services, like authentication and web application firewalls.

Lack Of Application Visibility

As of March 2019, there were more than 2.1 million apps available for Android users. Apple’s app store

offers more than 1.8 million apps. And that doesn’t count the millions of enterprise applications that have been developed and deployed. Altogether, we’re probably talking more than a billion applications in play worldwide today.

Want to know a shocking secret? Most organizations cannot tell you what’s going on with their apps at any given time. They don’t know how many apps they have, let alone where those apps live or who has access to them. Even for the most important applications, organizations rarely have consistent visibility into how those apps are performing (e.g., availability, end-user latency), or where to look when something goes wrong.

Whatever your strategy, the goal should be to figure out how to deploy and manage applications in a consistent way across all your different infrastructure silos. The best way to do this—and to get visibility into the pathways for all your applications—is to leverage a consistent set of multi-cloud application services. Common tooling will help you reduce risk, increase repeatability, and reduce defects by re-using consistent services wherever possible, especially across multi-cloud architectures. When deployed across your entire app landscape, these consistent services should allow full inspection of all traffic through the data path, ensuring easy troubleshooting when problems arise and interception and blocking of malicious traffic.

This consistency, and the visibility this approach enables, also helps reduce friction between the different operational teams that need to collaborate to keep apps high-performing and secure.

Compliance Challenges

Many organizations today, particularly ones operating applications across multiple clouds (as the vast majority of organizations are now doing or planning to do), experience significant challenges meeting regulatory compliance mandates.

Like many modern cities, the City of Bellevue’s digital needs have grown dramatically. A decade ago, only a handful of technical workers used its VPN to access systems remotely. Today, all 1,600 employees are enabled for remote work. For the city’s police force, enabling access to sensitive criminal history data means systems must comply with strict federal guidelines, including the federal Criminal Justice Information Services (CJIS) security policy and the related Federal Information Processing Standard (FIPS). Compliance with CJIS and FIPS is enforced through an annual federal audit. Without meeting the standard, police are restricted in the information they can access in the field. Ultimately, the city needed the ability to provide secure, compliant access to all city services.

The solution? Not to sound like a broken record, but we’re back to consistency again. Consistent, auditable security policies integrated into the CI/CD pipeline simplifies compliance, addressing a key obstacle slowing down adoption of DevOps practices and tooling.

When applications are built and deployed, the CI/CD workflow ensures they roll out protected and compliant every time. 

Looking Forward

There’s no doubt that apps are proliferating. Some IT professionals might use the terms “shadow” or “rogue” IT because many of these applications are brought into the organization by business users rather than IT. But derogatory words don’t address the issues that arise when business users take acquiring (or building) applications into their own hands. Rather, think of it as business-led IT—as a partnership between business users and IT in trying to do the best job of attaining the business mission.

Application proliferation is calling for consistent, automatable, and centralized control. It’s common today for enterprises to have their application assets scattered throughout various platforms. In the cloud. In their private data centers. On premises. In various SaaS environments. Businesses are beginning to have a single-pane-of-glass view into their entire application portfolio. With this kind of control, the risks become much easier to manage.

F5’s broad and comprehensive application services portfolio and ubiquitous platform enables organizations to centralize and manage auditable enterprise-grade security and infrastructure services across diverse environments, reducing the cost of change and freeing developers to focus on innovation. 

Related Content

The Multi-Cloud Maze: 5 Principles for Success

Just as virtualization revolutionized IT infrastructure, the rise of the cloud has changed the playing field once again.

Read the eBook ›


It’s 10 p.m. Do you know where your applications are?

Apps are the vehicle through which companies deliver goods and services. Welcome to the age of Application Capital.

Read the blog ›


Addressing Enterprise Multi-Cloud App Management with F5

Dealing with app sprawl? Learn how to simplify the consistent deployment of enterprise-grade security for all your apps.

Join the webinar ›


Simplify Multi-Cloud Application Management

It’s time to implement a policy management strategy that fits your org and your apps. F5 can help.

Read the article ›