How to ensure the availability, integrity, and confidentiality of your apps

7 MIN. READ

Over the past four decades, software has evolved. Back in the days of the mainframe, users accessed centrally stored programs on large multi-user systems. In the 1990s, however, the typical application came on a plastic disc shrink-wrapped in a cardboard box and was installed locally and updated only infrequently.

In some ways, we have come full circle: applications are again increasingly delivered over a network, and application developers are increasingly more involved in operational roles and securing the apps they develop themselves. In this always-on, application-as-a-service world, software vulnerabilities can be quickly exploited and simple DDoS attacks can interrupt service.

For companies that develop their own applications, their programmers need to produce software as part of an end-to-end secure software development life cycle (SDLC). This means focusing on reducing the attack surface of software, eliminating vulnerabilities, and training developers to design and program more securely.

Applying access controls and core security principle

sAt the same time, companies also have to treat cloud applications as operational technology that needs to be managed securely. Because cloud applications are always connected, they can easily be targeted, which makes the timely identification and elimination of vulnerabilities critical. To keep ahead of threats, companies should deploy a vulnerability management process that identifies and triages vulnerabilities and can rapidly automate remediation with a web application firewall (WAF). A WAF is a critical web security control that can buy a company time by blocking an attack while the development team works to fix the code.

Beyond the typical vulnerability management discussion of app security, what else should you be considering? A starting point is with setting the right access control. The authentication, authorization, and accounting (AAA) framework is a critical guide for ensuring you require strong authentication by default, using capabilities like SSO and multifactor authentication. Additionally, authorizing users based on robust, role-based access control (RBAC) that includes at least three roles (e.g. unprivileged user, privileged user, and administrator) helps reduce unintended incidents. And, should an incident occur, ensuring that you log events appropriately will help you pull key details for resolution, such as whic account was used and which system it came from.

In tandem with the AAA framework, looking at app security through the lens of the CIA security principles—confidentiality, integrity, and availability—can highlight additional steps that companies should take to protect their applications and keep services running.

1. Availability—Keeping the application lights on

With workers’ increasing reliance on cloud applications, the availability of cloud services has become critical to business operations. Once only a nuisance, DDoS attacks are now far more able to disrupt business operations.

Recommendations:

• Use DDoS mitigation services designed to block attacks at the edge of the network. In the event of an attack, such a system can actually save you money as the traffic will not cause additional charges due to spikes in cloud use.
• Implement a process for change management. Many companies have caused an outage in their own services after pushing through a flawed update to their infrastructure.
• Use a WAF or DDoS protection appliance to prevent layer 7 (application-level) attacks.

2. Integrity—Ensuring the app is performing as intended

Keeping the digital doors open is a company’s first order of business. Keeping out the bad guys is the second. Development and operations teams need to create secure foundations for access to all their applications and data as discussed in AAA above. They also need to manage change control so unintended changes don’t cause the app to perform in ways that impact the integrity of the data.

Recommendations:

• Implementing tools like WebSafe and a WAF limit the ability for nefarious actors to inject bad data into the application, protecting against a full range of threats to help reduce loss and exposure.
• Application controls that check for completeness of data are also a great way to monitor if one of your upstream controls failed.
• Automated testing of the application configuration can quickly alert operations when defective changes are implemented.

3. Confidentiality—Keeping secrets in the cloud

Data confidentiality needs to be addressed at collection, transport, and rest whether that’s in the cloud or on premises in your data center. Vulnerability management, including a WAF, are the primary controls you should have in place to prevent an application exploit from compromising your app and the confidentiality of the data in it. These days, there is no reason not to use TLS technology to encrypt communications between the user and the web application server. Data kept in the cloud or on premises should also be fully encrypted to prevent unauthorized access.

Recommendations:

• Enable TLS/SSL by default. HTTPS everywhere!
• Strongly encrypt critical data at rest, especially back-end credential stores. A simple password hash is not acceptable anymore. At a minimum, a hash plus salt should be implemented, or any stronger encryption mechanism.
• Implement an in-depth vulnerability management program to catch and triage flaws. To cover vulnerabilities between patch deployments, the virtual patching capabilities of a WAF are highly recommended.
• Securing cloud applications and infrastructure is complex, but viewing them through the lenses of AAA and CIA allow security professionals to approach the discipline holistically and to take actions that support an overall security strategy.

Preston Hogue is the Sr. Director of Security Marketing at F5 Networks. Preston is responsible for global security campaigns, evangelism and thought leadership, including oversight of the F5 Labs application threat intelligence team. Preston has over 20 years’ experience in information security including developing, implementing and managing complex security programs, architecting risk analysis and management, and implementing programs to address regulatory and compliance requirements.