Application security describes protective measures taken at the application level to prevent data or code within the app from being stolen or hijacked. These measures can include both hardware and software, as well as processes which identify threats and minimise risk.
In the past, placing layers of security around your applications and data may have sufficed. But those days are long gone. With the threat landscape evolving and cyber criminals testing the limits of security systems, there is increasing pressure on development teams to provide better security at the application layer.
Application development is as old as computers themselves; however, we have seen a significant change in the way applications are developed. With this change, security controls have needed to adapt to this new paradigm.
Traditionally, applications are developed as a monolithic construct where all the code is written, compiled and published. In this development scenario, any change is significant and delivery of the application can take weeks or even months. From a security perspective, it makes troubleshooting or correcting a vulnerability cumbersome.
Modern applications driven by cloud computing and ‘Agile’ have changed the way applications are constructed. Code is now delivered through a series of microservices and as an Application Programing Interface (API). Delivery of code is now measured in minutes hours or days. Now, when something needs to be done from a security perspective, a single service can be brought down, fixed and uploaded.
Why the cloud?
Nowadays, many organisations are taking to the cloud to develop their applications in a flexible and scalable environment.
Security has traditionally been a problem for the cloud; in the early days of development, security was often cited by IT teams as one of the main barriers to adoption. From misconfiguration of the application setup, unauthorised access and account hijacking to insecure APIs and interfaces, cloud security has been plagued by a number of threats which businesses still need to be wary of.
However, moving apps to the public cloud does not necessarily mean sacrificing security. In fact, data security and privacy are now considered major benefits of cloud-based systems.
Over time, cloud service providers have continued to bolster their security offerings — hiring the best talent and deploying the best technology and methods to secure their networks. These approaches and mechanisms are superior to the types found within enterprises.
Cloud service providers are also more capable of handling distributed Denial-of-Service (DoS) attacks, spoofing and other infrastructure attacks than most organisations and will utilise a full suite of security tools to protect their environment. These tools could include network monitoring solutions, anti-malware software and application firewalls, all of which enable the confident deployment of enterprise-wide container strategies across multi-cloud and on-premise environments.
It is also important to have good development practices that encourage coding out known vulnerabilities. Guardrails that offer security and control in the cloud need to be sourced and correctly configured, and secure patterns must be developed and published as part of continuous integration and/or continuous delivery (CI/CD).
What does security transformation look like?
Whether they are creating new applications for the public cloud or migrating existing applications, developers need to focus on three key areas: data protection, Identity and Access Management (IAM) and Development Security Operations (DevSecOps).
Data security is essential to prevent applications from creating a path to corporate data. Often, developers fail to consider adequate protection of the platform — protecting access to the data but not the actual database, which is exposed in the platform. To tackle this vulnerability, it is essential to encrypt data as this will render copied data files useless. Many databases within public clouds also have their own security systems, which include data encryption and authorisation levels to grant users appropriate access.
As applications are authorised to read and write to a database, it is also crucial to set up identity-based access to the application and monitoring activity to ensure the user does not display hacker patterns.
IAM should also be built into applications to ensure access privileges are granted according to policies set by both the developers and security administrators. For example, Application Programming Interfaces (APIs) can determine whether a user is authorised to access the application, the platform, the services and the data. Tools such as aapi allow businesses to configure internal and external APIs and enforce policies through an API gateway.
After staging and deploying an application in the cloud, constant monitoring and testing are vital in the operations phase, too. As such, we are seeing a shift from DevOps to DevSecOps, where continuous testing also includes continuous security testing.
At Burning Tree, we use a holistic approach to information security architecture — delivering security solutions across your IT infrastructure and transitioning your applications and systems safely to the cloud. To find out more about our security transformation services, get in touch today.