COMMENTARY: As a veteran security practitioner, I’ve grown accustomed to discovering emerging threats and new attack methodologies and witnessing agile security vendors playing catch up with new products. However, with evolving technologies comes evolving risks and there remain several acute and unrelenting pain points. For the past 20 years, the security community has been plagued by a consistent application security blind spot that has not been resolved.
No matter the organization’s size, industry or business model, in-house applications have evolved from a single tech stack to multiple, with increasing complexity and decreasing visibility. Traditionally, applications were monolithic: a single, self-contained unit running on a single server. Firewalls and perimeter defenses sufficed in these cases. The explosion of microservices and distributed development in the modern software landscape has fundamentally reshaped the way these services communicate and how they affect the application environment. While beneficial for scalability, agility and resilience, the growing number of components spread across various locations presents a host of new security challenges that existing security tools are consistently unable to address.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
These question marks and blind spots get worse as we move into runtime and live environments. Security practitioners contend with a variety of questions when faced with a vulnerability that may or may not affect our application: Where are the relevant logs? Are we seeing the entire picture? How do I know if this vulnerability is malicious, and where does it move to? There are numerous unknowns regarding context, critical information, logs and execution. Logging may help, but cannot offer the comprehensive context required for investigations, or may miss important features, adding to the complexity.
These obstacles make it difficult to pinpoint where the exploit execution takes place within the application, which part of the infrastructure has been unaffected and where to begin mitigating. Now multiply the chaos. Security teams are often integrated into different product groups and lack the tools and comprehensive understanding to see the entire application stack, making it that much more difficult to devise a cohesive investigation and assessment strategy – let alone remediate the vulnerability. When we’re dealing with large and complex applications, these teams rarely communicate with each other. There may be changes in one team that affect the others, but without an overarching view, there’s no effective way to alert on high-impact changes to the application stack.
Application detection and response (ADR) has emerged as a new AppSec category that rises to the challenge and fills in the gaps left by other detection and response products, by getting deep into the application rather than protecting it externally.
Web application firewalls (WAFs) mainly focus on traffic coming into the application through the web interface, without insights into the internal communication between various microservices in a distributed application.
They are great for blocking known attack signatures, but remain completely blind to unknown risks and anomalies. Typically relying on static analysis of incoming traffic, WAFs are easily bypassed by more sophisticated attackers. Runtime application self-protection (RASP) products offer strong application-level security, but have a limited scope, protecting specific vulnerabilities within the application code itself. Relevant for small use cases and a specifically designed tech stack, RASP tools are often cumbersome to deploy, complex to integrate with existing development and security tools and expensive to maintain.
The introduction of ADR tools radically changes the existing AppSec landscape. Let’s compare it to a highly effective, game-changing security platform from the endpoint protection world like CrowdStrike's Falcon, which goes beyond traditional antivirus protection by leveraging machine learning and behavioral analysis to offer a deep level of insight, not just signature-based blocking. Operating in real-time, much like ADR tools, Falcon detects and responds to threats as they happen.
ADR tools can map the application flow – a day-one win for security and engineering teams. When a vulnerability gets detected, ADR tools tell them which components are involved and allow them to “double click” into affected areas. Instead of setting static ground rules, security teams can now see how data moves back and forth and set a baseline to spot anomalies. Deployment of these tools tends to be integrated within the application, so teams can actually see exploit attempts where they are and put rules in front of them, making them easier to block. Such integration effectively adds a second layer of authentication, reauthenticates or ends the session completely. These options are game changers, revoking the need to keep asking developers to respond and being able to do so at scale.
By transitioning application security from reactive to proactive, ADR addresses the shortcomings of traditional tools. Tailored for the intricacies of modern, distributed applications and the ever-evolving tactics of attackers, ADR offers a much-needed shift. This revitalization holds the promise of being the long-awaited answer to the two-decade-old struggle of effectively securing applications in today's fast-evolving threat landscape.
Ray Espinoza, chief information security officer, Inspectiv
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
