Security Strategy Needs to Adapt with Attackers and Apps
By: Lee Slaughter, Principal Technical Marketing
98% of businesses depend on applications to run or support their business. This pivot to digital has been accelerated as businesses adapt to their new business normal. The explosion of application adoption includes B2C organizations where an application is the business, as well as organizations that depend heavily on applications for user/business productivity or connections with partners.
Changes in the way applications are designed, built, and deployed have rapidly increased risk. The proliferation of architectures, cloud, and open source software have increased application complexity, resulting in an expanded threat surface. Defending multiple points of potential vulnerability translates into vulnerability discovery becoming more difficult. Additionally, major and critical vulnerabilities are published on a daily basis. But that’s not all—attackers have evolved their methods to be smarter and automated to scale.
Many of the same vulnerabilities continue to exist after 20+ years of application security best practices. F5 Labs has identified threats that leverage automation to discover hosts on the Internet that may be susceptible to open source software vulnerabilities (e.g. CVE-2011-4107 and CVE-2013-3241) in the pervasive PHP software. These injection attacks look to exploit weak authentication portals and/or outdated MySQL databases to setup further attacks and/or steal sensitive information. These types of automated attacks are developed almost immediately after publication of an exploit.
On the business front, a clear focus on speed to market is demonstrated in variations of agile software development. The implication is that many of the people who are making decisions with significant ramifications for security—system owners, application architects, DevOps teams—are generally placing other business priorities ahead.
If that’s not enough, the threat surface is further exacerbated by password reuse - a reflection of the sheer volume of applications. It is impossible for any human to remember complex and unique passwords for the numerous applications we use. This has given rise to the automated credential stuffing attacks, for which the attacker economics are just too good to pass up. As more organizations have implemented systems to recognize blatant brute force and credential stuffing attacks, bad actors adapt and may move to “low-and-slow” techniques that are more difficult to identify without the most advanced security tools, especially if those attacks can emulate human behavior.
How can we balance business goals and security?
With applications, or components of applications, residing in multiple environments, and implementation of security often being outside of complete InfoSec control, you need tools that can adapt. Security protection must be able to mitigate exploit attempts and downtime across all environments and architectures. Apps are built to be portable, and the policies/configurations set within the tools that protect them must also be portable - security needs to be closer to the app. Further, security must be natively integrated into development frameworks as much as possible to enable strategic business goals like digital transformation and time to market.