Cybersecurity is an asymmetrical battle. While enterprises plough thousands of hours and millions of dollars into securing their data, attackers only require, relatively speaking, a miniscule investment to find and exploit vulnerabilities.
Recently, as network security measures have grown increasingly mature, the front line of this battle has moved to the application layer – which is to say, through the channel that HTTP requests are made, rather than the more fundamental networking protocols which were once the main route for intrusion.
True to form, malicious actors are making the move earlier and faster, leaving businesses playing catch-up in an environment where security breaches result in ever more punitive consequences for profits and reputation.
App to no good
For attackers, there are a number of advantages in targeting the application layer. Where the target is commercial or open source software, a single vulnerability can potentially grant access to many systems – making for more efficient attacks than assessing network vulnerabilities on a case-by-case basis.
With many businesses still reliant on legacy software, exploits can be found in unpatched systems even where the network it runs on is more robust. Perhaps most importantly, in the case of custom in-house software, functionality is often rolled out on a project basis to fulfil specific use cases on short timescales in which the developers do not have the knowledge or time to thoroughly vet security at the application level.
Whether they are attacking many businesses on a speculative basis or specifically targeting a particular organization’s bespoke systems, there is a huge incentive for malicious actors to target the application layer – and recent reports suggest that such attacks are growing, often in conjunction with other threat vectors.
This creates new challenges for businesses in identifying valuable assets which might be vulnerable to application layer attacks, assessing how much risk is acceptable for each of those assets, and deploying controls to reduce that risk to its acceptable level.
In a routine DevOps process, a software application to fulfil a business-critical function might be developed and deployed within weeks or even days. It’s likely to be web facing, and will collect varying degrees of personal information: anything from names and home addresses to medical histories and credit card numbers.
Collecting all of this information, with the appropriate privacy and compliance requirements, can represent a significant competitive advantage – but without comprehensive risk reduction measures, organizations face the nightmare scenario of finding all of that information dumped onto Pastebin.
Secure delivery
Development teams seeking to harden applications against application layer attacks have several options. One is to design for security and thoroughly vet code before it enters the production environment. Unfortunately, the security expertise and long, flexible timescale this necessitates is precisely what developers often lack when adding business critical functionality.
Another is to deploy a web application firewall (WAF). The intention here is to block unauthorized access with a secure layer wrapped around the application – but a single failure here can lead to a catastrophic exposure of data.
Recently, the problems with these approaches have led to the uptake of a third option: runtime application self-protection, or RASP. Consider the ways in which a business might try to ensure that a product which they are having delivered to a customer arrives intact.
If vetting code is like making the product physically robust (effective, but not always possible), and employing a WAF is like wrapping the product in protective material (useful, but only if the bubble wrap stays on the package) then RASP is equivalent to labelling the package as fragile and using a delivery service designed to handle delicate items.
Unlike a WAF, RASP continuously and actively reacts to users’ interactions with the application – monitoring, logging, and if necessary blocking actions at the application layer on the fly. In this way, even if an attacker does breach the WAF’s perimeter, or if a difficult-to-identify door is left open during the development process, RASP’s insight into the application’s logic and data flows can thwart attacks as they happen.
Leading RASP technologies include numerous pre-built logging categories for different application layer actions as well as profiles of common vulnerabilities, ensuring that the application does not become low-hanging fruit for attackers when deployed into the production environment.
Too often, security is seen as a bottleneck for development, and an enemy of successfully getting critical tools into the hands of users. With RASP, developers can instead make security a boon, accelerating the application lifecycle and freeing developers up to focus on function.