The Evolution of Application Security: Toward a New Generation of ADCs
In my two previous blogs, we’ve looked at the history of infrastructure and software applications as a journey from monolithic and centralized to fragmented and dispersed. Along the way, the tools and processes used to defend infrastructure and applications have also evolved—but not quickly and comprehensively enough. As application security advances to protect against new attacks and vulnerabilities, the threat landscape also evolves and new cyber dangers emerge, like an ever-expanding arms race between cybercriminals and security teams.
This leapfrogging of innovation has reached a new level with the advent of AI. Just as defenders can employ automated AI-driven protections to maintain resilience, bad actors are embracing AI to enhance their attack campaigns.
Today’s increasingly interconnected yet decentralized application environment results in technical complexity and expansive attack surfaces that render the scattershot protections of current security solutions ineffective. Also, even though application security protections continue to evolve to address ever more sophisticated threats, the exploits of yesteryear don’t disappear—they progress, find new targets, and adapt to modern defenses. Applications are under attack from a continuum of threats, requiring a unified approach that combines the potent protections of application security and the incomparable reliability of application delivery controller (ADC) services into a converged platform that offers more complete protection and simpler, more integrated management across diverse IT environments.
Let’s take a look at how application security has evolved in response to changes in infrastructures, applications, and ever-advancing threats.
Application security 1.0: Perimeter defenses and firewalls
Early in the digital era, legacy monolithic applications were hosted in data centers and firewalls protected the perimeters of these environments. Everything that needed protection was in one place, and the role of application security was to keep the bad guys from getting in and creating chaos.
As the Internet came into widespread use, the notion of the perimeter shifted, and application security had to adapt to new threats from external networks. Perimeter security expanded as a protective barrier between the trusted internal network and untrusted external networks like the Internet.
Network firewalls became the first line of defense, monitoring and controlling incoming and outgoing network traffic to protect internal networks from unauthorized access, malware, and external intrusions. And a new type of firewall—the web application firewall (WAF)—was developed to protect the web against Layer 7 or application layer attacks, with the ability to filter and inspect HTTP/HTTPS traffic for malicious patterns.
Application security 2.0: Distributed cloud and WAAP
The turn of the 21st century saw a major shift in the application landscape, and therefore an evolution in application security. A proliferation of applications became available on the web, and applications in on-premises data centers were supplemented by cloud-based applications in distributed infrastructures.
In other words, the protected perimeter that had served as a boundary between trusted and untrusted, us and them, ceased to be the first line of defense. Cloud and decentralized applications made perimeter-based security less effective, and in many cases, inhibited innovation. In addition, reliance on multiple, point-focused protections didn’t deliver consistent, integrated security that could be managed effectively.
As part of this cloud disruption, code became more modular and dispersed, coded or broken into microservices available from third-party libraries and assembled into cloud-based containers far from any perimeter defenses. APIs became the connective tissue of cloud applications, enabling distributed services and applications to connect and communicate with other disparate systems. APIs also enable different apps to exchange data, for example, what occurs when a retail app uses an API to specify the amount owed to an online payment system like PayPal, which sends back a confirmation of payment.
This same period also saw the rise of bots. In common bot-driven attacks like credential stuffing, bots use stolen usernames and passwords to take over online accounts, often leading to fraud. Armies of malicious bots, called botnets, are responsible for distributed denial of service (DDoS) attacks, when criminals direct large numbers of bots from multiple connected devices to overwhelm websites, servers, or networks, resulting in a denial of service to normal, legitimate traffic, impacting an entire online user base.
The security threats ushered in by distributed cloud-based applications, API interfaces, and the proliferation of bots forced organizations to rethink how they protected applications and data. WAFs further evolved into web application and API protection (WAAP) solutions, which are designed to provide protection from a broader range of runtime attacks. WAAP solutions protect both web applications and APIs from modern threats, including DDoS and automated bot attacks, and can secure web apps, APIs, and microservices running in cloud, hybrid, or multicloud environments.
Application security 3.0: AI security
The advent of AI and machine learning is impacting application security in two key ways. AI can be extremely effective at detecting and responding to a wide variety of cyberthreats and is a key component in today’s application security strategies. However, AI applications are themselves highly vulnerable to cyberattacks and securing AI infrastructure against attacks is a major concern.
In recent years, AI has revolutionized threat and anomaly detection, as AI models can analyze vast amounts of network traffic in real time to detect suspicious patterns. In addition, AI-driven behavioral analytics can identify malicious users and enhance identity authentication and verification to prevent credential abuse. AI models can also power predictive security and enable threat hunting to help foresee zero-day vulnerabilities and anticipate new attack vectors before they cause harm.
As useful as AI can be in strengthening application security, it is itself the target of cyberthreats and must be secured against attacks that can compromise models, poison data, or disrupt services. Attackers may inject malicious samples into training data to compromise model integrity or manipulate models by feeding them misleading data that can cause incorrect or harmful outputs. AI infrastructure is also susceptible to more traditional threats such as DDoS attacks or ransomware targeting AI infrastructure, which can delay or disrupt services.
In addition, AI-powered attacks are used to do everything from automating phishing to spreading malware at greater speed to creating more realistic deepfake impersonations—amplifying the cyber risks for corporations.
Towards a unified security platform
Even as application security has evolved to address more sophisticated threats, the attack surface continues to expand—forcing businesses to struggle against inconsistent controls, crushing complexity, and mounting risk exposure. To protect applications in this evolving environment, organizations require a new generation of ADCs that go far beyond the load balancers of the past. What’s needed is ADC 3.0—ADCs transformed into a single, consistent platform that adapts to the unprecedented technological complexity and sophisticated security challenges that businesses face today and into the future.
To learn more, please read our previous blog posts in this series about the evolution of infrastructure and the evolution of applications alongside it—creating demand for a new generation of ADCs to meet the demands of the AI era.