This post is an excerpt from our recent research brief, How a Layered Approach Improves Security, written in partnership with Brocade.
To re-enforce authentication procedures, Niko Agnos, Federal Software Territory Account Manager, and Darren Rivey, Federal Software Systems Engineer at Brocade advised creating an additional level of security at the application layer. That way, applications remain protected even if initial authentication procedures are faulty or circumvented by hackers. Think of it like adding additional protection to your house to keep out intruders, rather than just relying on the fence surrounding your yard. With bars on your windows or an alarm at your front door, you are better prepared should someone get past your perimeter of defense.
This tactic is especially necessary given current IT deployment practices that focus on operational, rather than security, needs.
“Applications are built for business-specific requirements,” Rivey explained. “As a result, there’s not much attention paid to the security of the application because it’s thought that others (outside of the IT operations team) will look after the security.”
“When the application is being built, it’s actually very common that security defects remain, and the existing security infrastructure doesn’t protect against them,” he said.
While some application vulnerabilities can be solved quickly with a patch in a third-party component or operating system (OS) module, it is not unusual for logic flaws or data leaks to take months to solve in production systems — leaving doors open for hackers. Some off-the-shelf applications can go unpatched for a year or more, depending on the priorities of the application vendors and the perception of risk.
When applications aren’t secure, access policies aren’t effectively enforced at the application layer. And, as Agnos explained, many of today’s firewalls don’t prevent malicious traffic from getting to that layer.
“What you see in the federal space is that the most common firewalls are all focused on things that are done in the infrastructure,” he said. “But right now the information that’s being compromised is further up the stack at the application level.” As a result, many hackers are targeting application security because it is most often left vulnerable.
To remedy this vulnerability and ensure appropriate access, agencies can safeguard their applications with real-time policy enforcement, including transparent secure session management, URL encryption and form-field virtualization.
Brocade Virtual Web Application Firewall (vWAF) is a massively scalable solution for application-level security. It can apply business rules to HTTP(S) traffic, inspecting and blocking attacks such as SQL injection and cross-site scripting, while filtering outgoing traffic to mask personal identifiable information like Social Security numbers, and help maintain compliance with federal risk management frameworks.
To learn more about a layered approach to security, be sure to check out our recent industry perspective, How a Layered Approach Improves Security.