7 MIN. READ
Over the past four decades, software has evolved. Back in the days of the mainframe, users accessed centrally stored programs on large multi-user systems. In the 1990s, however, the typical application came on a plastic disc shrink-wrapped in a cardboard box and was installed locally and updated only infrequently.
In some ways, we have come full circle: applications are again increasingly delivered over a network, and application developers are increasingly more involved in operational roles and securing the apps they develop themselves. In this always-on, application-as-a-service world, software vulnerabilities can be quickly exploited and simple DDoS attacks can interrupt service.
For companies that develop their own applications, their programmers need to produce software as part of an end-to-end secure software development life cycle (SDLC). This means focusing on reducing the attack surface of software, eliminating vulnerabilities, and training developers to design and program more securely.
Applying access controls and core security principle
sAt the same time, companies also have to treat cloud applications as operational technology that needs to be managed securely. Because cloud applications are always connected, they can easily be targeted, which makes the timely identification and elimination of vulnerabilities critical. To keep ahead of threats, companies should deploy a vulnerability management process that identifies and triages vulnerabilities and can rapidly automate remediation with a web application firewall (WAF). A WAF is a critical web security control that can buy a company time by blocking an attack while the development team works to fix the code.
Beyond the typical vulnerability management discussion of app security, what else should you be considering? A starting point is with setting the right access control. The authentication, authorization, and accounting (AAA) framework is a critical guide for ensuring you require strong authentication by default, using capabilities like SSO and multifactor authentication. Additionally, authorizing users based on robust, role-based access control (RBAC) that includes at least three roles (e.g. unprivileged user, privileged user, and administrator) helps reduce unintended incidents. And, should an incident occur, ensuring that you log events appropriately will help you pull key details for resolution, such as whic account was used and which system it came from.
“In this always-on world, software vulnerabilities can be quickly exploited.”
In tandem with the AAA framework, looking at app security through the lens of the CIA security principles—confidentiality, integrity, and availability—can highlight additional steps that companies should take to protect their applications and keep services running.
1. Availability—Keeping the application lights on
With workers’ increasing reliance on cloud applications, the availability of cloud services has become critical to business operations. Once only a nuisance, DDoS attacks are now far more able to disrupt business operations.
Recommendations:
- Use DDoS mitigation services designed to block attacks at the edge of the network. In the event of an attack, such a system can actually save you money as the traffic will not cause additional charges due to spikes in cloud use.
- Implement a process for change management. Many companies have caused an outage in their own services after pushing through a flawed update to their infrastructure.
- Use a WAF or DDoS protection appliance to prevent layer 7 (application-level) attacks.
2. Integrity—Ensuring the app is performing as intended
Keeping the digital doors open is a company’s first order of business. Keeping out the bad guys is the second. Development and operations teams need to create secure foundations for access to all their applications and data as discussed in AAA above. They also need to manage change control so unintended changes don’t cause the app to perform in ways that impact the integrity of the data.
Recommendations:
- Implementing tools like WebSafe and a WAF limit the ability for nefarious actors to inject bad data into the application, protecting against a full range of threats to help reduce loss and exposure.
- Application controls that check for completeness of data are also a great way to monitor if one of your upstream controls failed.
- Automated testing of the application configuration can quickly alert operations when defective changes are implemented.
3. Confidentiality—Keeping secrets in the cloud
Data confidentiality needs to be addressed at collection, transport, and rest whether that’s in the cloud or on premises in your data center. Vulnerability management, including a WAF, are the primary controls you should have in place to prevent an application exploit from compromising your app and the confidentiality of the data in it. These days, there is no reason not to use TLS technology to encrypt communications between the user and the web application server. Data kept in the cloud or on premises should also be fully encrypted to prevent unauthorized access.
Recommendations:
- Enable TLS/SSL by default. HTTPS everywhere!
- Strongly encrypt critical data at rest, especially back-end credential stores. A simple password hash is not acceptable anymore. At a minimum, a hash plus salt should be implemented, or any stronger encryption mechanism.
- Implement an in-depth vulnerability management program to catch and triage flaws. To cover vulnerabilities between patch deployments, the virtual patching capabilities of a WAF are highly recommended.
- Securing cloud applications and infrastructure is complex, but viewing them through the lenses of AAA and CIA allow security professionals to approach the discipline holistically and to take actions that support an overall security strategy.
Preston Hogue is the Sr. Director of Security Marketing at F5 Networks. Preston is responsible for global security campaigns, evangelism and thought leadership, including oversight of the F5 Labs application threat intelligence team. Preston has over 20 years’ experience in information security including developing, implementing and managing complex security programs, architecting risk analysis and management, and implementing programs to address regulatory and compliance requirements.
About the Author
Related Blog Posts
Accelerate Kubernetes and AI workloads with F5 BIG-IP and AWS EKS
The F5 BIG-IP Next for Kubernetes software will soon be available in AWS Marketplace to accelerate managed Kubernetes performance on AWS EKS.
The everywhere attack surface: EDR in the network is no longer optional
All endpoints can become an attacker’s entry point. That’s why your network needs true endpoint detection and response (EDR), delivered by F5 and CrowdStrike.
F5 NGINX Gateway Fabric is a certified solution for Red Hat OpenShift
F5 collaborates with Red Hat to deliver a solution that combines the high-performance app delivery of F5 NGINX with Red Hat OpenShift’s enterprise Kubernetes capabilities.
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.