Mobile apps: Insecure by default

Why You Can’t See The App For The Microservices

By: Yaffa Finkelstein, Product Marketing Manager, Check Point Software Technologies

Last week, with school cancelled yet again, I watched my preschooler painstakingly build a complex bridge for his toy cars. He was immersed in the construction; precariously balancing a combination of Lego boards and wooden blocks, focused solely on maintaining a uniformity of construction, high enough to allow him to pass a train underneath the bridge.

He paid no attention to his younger sibling who waited until all the pieces were in place, and with a hammy fist knocked over all of his hard work.

We’ve all been there: caught in the details of a complex project, someone quickly reminds you that you’ve lost perspective. In this case, all of the pieces of construction were set properly…. but there was nothing in place to protect the structure.

There are many Workload Protection solutions on the market which inadvertently put your applications at risk. While many claim to offer the best in breed for container security, serverless security or protection for virtual machines, they do not address the most important part of the workload – the main business driver for any enterprise in 2021. The application. You can have the best-in-breed solution for every single microservice and cloud native service. You can architect a super complex deployment with security for each microservice, but if a bad actor wants to attack your application, there is nothing in place to stop them.

So many of our newer customers have expressed frustration at the fragmented state of most workload protection solutions, and the lack of workload security platforms which address the need for modern application security. They all express a need for automated application security which remains effective even as the application evolves, and an approach to AppSec that puts the application at the heart of their workload protection strategy.

Application security has been the bane of the security professional’s life for many years. Applications of the ‘90s were simple, monolithic applications with monthly updates if the development team could scale up development quickly. Application security was an afterthought and in order to allow developers and QA teams to keep moving, appsec was implemented on the perimeter; with the maintenance of a list of known attack signatures, a web application firewall (WAF) would be able to take a binary decision based on each web request. When a request comes in, the WAF tries to find a match in the attack signature database and if there’s a hit, the request is denied.

The WAF market’s one-size-fits-all approach worked relatively well until the advent of cloud computing when DevOps effectively rendered the WAF useless. As AppSec vendors tried to automate security in the same way that DevOps automated development, it became clear that legacy WAFs were unable to handle the rapid pace of development.

Security groups were tasked with the expensive, laborious and painstaking work of maintaining lists of rules and exceptions which had to be updated with each new app update. In the age of automation and DevOps, where workload protection is front of mind for every security organisation, it is critical that application security is addressed with the same level of importance – it too needs to be automated, and tied into a unified security platform.

This site uses Akismet to reduce spam. Learn how your comment data is processed.