Avoiding Frankenstein’s Monstrous Security: Understanding Application Security as a Stack

For about one hour on June 8, dozens of the most-visited websites in the world simply dropped offline. As companies like Amazon, the Guardian, the New York Times, PayPal, Reddit, and Spotify, as well as gov.uk, the site of the UK government, struggled to figure out what happened, the issue was traced back to cloud computing company Fastly.

This single content delivery network failure impacted dozens of websites that together handle hundreds of millions of users—and although the problem was resolved in less than an hour, experts think the cost of that hour is in the hundreds of millions of dollars. To avoid major meltdowns deliberately caused by criminals, it’s essential to recognize the fragility of an online system that has become distributed.

A New Approach to Application Security is Needed

Application security is a complex area, and it’s deceptively easy to think about elements like user authentication, encryption, and WAF distinctly and in isolation. This kind of thought process often leads organizations to adopt a variety of application security tools, platforms, and solutions from different vendors.

In practice, processes like user authentication, malware protection and DDoS mediation are interrelated aspects of the application security stack, and both total cross-functionality and scalability are essential to bringing any application online securely.

Applications have now become microservices-based. This has meant a mish-mash of platforms, including VMs, containers, and applications running on bare metal—and many are still attached to the data. A hybrid solution bridging the old and new is needed, because every application has a unique architecture, depending on its use.

Furthermore, applications have become completely distributed. There’s no single, centralized app any longer; the application is composed of many thousands of small microservices. Infrastructure has also evolved, out of on-premises data centers and into multiple clouds and the edge network.

What does all of this mean? Suddenly, your infrastructure as well as your applications have actually become more vulnerable.

The Scalable Stack Meets Challenges in Application Security

First of all, the attack surface has expanded. Previously, one firewall was enough, because there was one point of attack. Distributed infrastructure means many places for attackers to launch exploits. Sprawling, distributed architecture is not consistently managed or secured, because there is no way anymore to actually build a trust perimeter.

In fact, most of the pain points users experience with application security stem from issues related to complexity, performance, and visibility due to a lack of a scalable platform approach. To bring an application online safely, each component of the application security stack is necessary. But implementing layers of application security from different vendors does not provide a central place to tune security policies and to respond to threats in real-time.

Many organizations fail to implement WAFs because they feel too complicated to implement in terms of policy and management complexity; because WAFs are resource-intensive and complex to manage, many organizations find turning on WAFs brings down performance.

However, a perimeter approach is a structural misfit for the distributed architecture of modern applications. Perimeter security serves 3-tier traditional applications, but it doesn’t provide adequate protection needed for modern microservices based applications. To address concerns about degrading application performance, Avi’s load balancer and WAF can be deployed on a per-app basis. This reduces the overall complexity of WAF deployment with application learning, false-positive mitigation workflows, and reduced complexity in tuning application security policies.

Over-reliance on the signature engine is another key challenge in application security, because it slows performance and increases false positives. As a primary mechanism to detect attacks, signature engines are compute-intensive and can also trigger numerous false positives unless finely tuned, blocking valid traffic. A positive security approach can learn what healthy traffic patterns look like to bypass the signature engine and authorize safe traffic, reducing reliance on signatures and delivering an optimized security pipeline.

A lack of visibility is another issue that causes organizations to mistrust application security measures. When it’s hard to understand how each application tool works, it’s also hard to configure them and to troubleshoot errors. An enterprise grade security stack approach like Avi Networks provides resolves these key pain points that so many organizations experience surrounding application security. 

The Solution: A Seamless, Scalable Stack

To address these issues, and ensure the security cure doesn’t feel worse than the threat, Avi provides real-time visibility, granular insights, and application security analytics in addition to rule matches and traffic monitoring. This visibility helps inform precise policies and provides easy customization of exceptions and rules, significantly speeds up policy tuning.

Modern application development and deployment approaches that include continuous integration and continuous delivery (CI/CD) methods fuel a need for elastic capacity and require a change in approach for application security. CI/CD cannot be hamstrung by monolithic application delivery, and equally security cannot be overlooked.

A resilient platform is the first line of defense against security attacks. Avi’s central control plane and distributed data plane create an elastic application services fabric with centralized policies that enables a rapid response as attack surfaces of new applications, microservices or instances are increased.

The Avi WAF is not a perimeter—it is deployed per application based on specific policies to apply for each app. This opens up a world of customization and security that is just not available with traditional tools.

The platform is also scalable. This enables fast, easy policy tuning far beyond the standard six month updates that leave your applications and systems subject to vulnerability exploits for that long interval—at least.

The trouble with stitching together your application security solution with tools and platforms from different vendors is that you end up with a haphazard result that can never scale the way modern threats demand. The optimized application security pipeline and stack approach to web application security delivers web-scale performance with point-and-click simplicity.

The difference between the two approaches is significant. Avi offers simplicity, visibility, and scalability via its integrated application security stack approach. WAF is only the outermost layer.

A piecemeal approach to application security is bound to fail. To understand why, it’s essential to gain a deeper insight into the way the entire application security stack functions, and how each element works alone and as part of the stack. Find out more in Avi’s whitepaper on application security here.

Go Further

In addition to our whitepaper Achieving a Scalable Application Security Stack, we have several other resources available that you might be interested in. These include our recent How-to video series:

How to Deploy Comprehensive Application Security

How to Enable a Web Application Firewall

How to Set up Applications with SSL Everywhere

How to use Positive Security in the Web Application Firewall

We also have a range of on-demand webinars and whitepapers about application security, such as:

Scalable, Multi-cloud Application Security with WAF

Bringing SaaS Simplicity to Proactive Support and Live Threat Updates

Achieving Web Application Security and Compliance with Intelligent WAF


Leave a Reply

Your email address will not be published. Required fields are marked *