Why Firewalls Fail to Protect Applications
October 03, 2019

Manish Gupta
ShiftLeft

In the first blog of this series, I discussed what would it take to insert security into DevOps and arrived at the helpful mnemonic SECURIDY to capture the key requirements. As a continuation of that blog, I thought it would be valuable to take some of the popular technologies and measure them against this framework to see which are still well-suited for today's world of DevOps, as well as which fall short and why.

Let's start with the security product that organizations spend most of security budgets on — firewalls.

In a private local-area network (LAN), where all important resources were within the LAN (data center, employee machines, etc.), it made sense to create a protective moat between your LAN and the world outside. While you wanted everyone within your LAN to be able to access anything outside (with some restrictions), it clearly didn't make sense to allow everyone on the outside to be able to access the resources within the LAN.

But the world of SaaS (Software-as-a-Service) turns this model upside down. The application(s) are inherently designed to be available to anyone and everyone outside on 443/HTTPS — which is the source of most cyberattacks.

Based on our model of SECURIDY, let's see where firewalls fail. Remember, the focus is on protecting applications and not end users.

Security (S)

Security (S) has to be fast: Here, we aren't talking throughput and latency, for that is definitely where firewalls and some of the other network security devices shine. Instead, we are talking about operational speed. For example, if you are releasing hourly, can you adjust the policies of the security devices hourly or even better automate it?

Again, this isn't feasible with network security devices. Some aspects, such as what rules apply to all applications (e.g., block all access other than 443/HTTPS) can be automated, but anything more requires significant human effort. In traditional LAN networks, the rules and policies that would get modified once a week or once a month now need to happen hourly. This gets a respectable 2 out of 10.

Exact (E)

Exact (E): This is the bane of security, even in traditional networks, which is why there is all this talk of not having enough trained people to look at the alerts created by the security devices. This is necessary for protecting end user machines where the end user has to (perhaps debatable) access various resources and in doing so, gets infected (e.g., spear phishing).

But for applications, we don't have to repeat the same mistakes. Applications are code that we write, and they are written to do something specific, regardless of the richness of their feature functionality. We have a great opportunity to make security for these applications "exact," so we are not adding more alerts to the already monstrous pile our infrastructure security solutions create every hour, every day. On a scale of 1-10, this gets at best a 2.

application centric (C)

Security has to be application centric (C): We use firewalls in our private data centers where we keep our applications to ensure that no one from outside our organization can reach these "private" applications. We also use firewalls to ensure that even employee access is controlled — after all, not everyone needs to have access to every application.

But in SaaS, as we have seen earlier, applications are inherently available to be accessed by everyone. And each application's attack surface is unique, down to the version number of the application. Creating firewall rules — a network-based device — to cater to the attack surface of each application just isn't feasible. It's like protecting a castle using fences when the enemy has planes — landing it at 0 out of 10.

unique (U)

Security has to be unique (U) to each application, each microservice: This is where a firewall — or for that matter, any network security device including Intrusion Detection Systems and web application firewalls — fails miserably. From one version of an application to another, as developers add or subtract functionality, an application's attack surface is changing.

Network security devices are completely blind to these changes. At best, they can continue to do what they do regardless of the application (let alone the application's version) and shift the onus to you on what is relevant and irrelevant in what they detect. On a scale of 1-10, in a firewall's ability to meet the demand of unique security, let's give it a 2.

System of Record (R)

System of Record (R), i.e., understanding whether your security posture is improving or deteriorating as you develop newer versions of the applications: The world of infrastructure security devices is oblivious to the contents of an application so can't help there. This gets a 0 out of 10.

innovation (I)

Scalable with the pace of innovation (I): Infrastructure or network security devices demand they be present in front of every application you want to protect. Hard to do that and be scalable. This gets a 1 out of 10.

developers (D)

Security needs to appeal to developers (D). This is where the concept of "shifting left" is important. Developers are where the application development starts — they are at the left edge of the application continuum. Firewalls (or other network security devices) are deployed once the application is in production. Never the twain shall meet — a 0 out of 10.

functionality (Y)

Business is driven by new functionality (Y): Again, focusing on the infrastructure, and not the application itself becomes a bane of existence for network security solutions. Whether you are innovating at the pace of a snail or at the pace of a cheetah, to network security devices there is no difference. You have to configure them, tune them, edit their policies, and review the alerts created.

So, they are not driven by new functionality, they are instead driven by "you." Can you tune these devices at the pace at which you are adding new functionality? Didn't think you could. Let's score this a 1 out of 10.

As we sum up the scores, we can score the firewalls and network security devices a 11 out of a possible max of 80 in our SECURIDY measurement. Not even a passing grade! Network security has a very important role in our LANs given the diverse, ever-changing nature of employees joining and leaving, and controlling who should be able to access what. But to protect applications that we develop, we can do far better.

Keep an eye on my column as we explore more security products and score them against the SECURIDY framework.

Manish Gupta is CEO at ShiftLeft
Share this

Industry News

November 07, 2019

To help developers increase the speed and quality of their SQL coding, enhance efficiency, and take advantage of the latest improvements in SQL Server, Redgate has released a major upgrade for its most popular tool, SQL Prompt.

November 07, 2019

CloudBees announced a partnership with Atos and VMware surrounding a solution to help customers adopt DevOps best practices at scale on Atos’ recently announced Atos Digital Hybrid Cloud (DHC) powered by VMware Tanzu and CloudBees cloud native continuous integration/continuous delivery (CI/CD) enterprise solution.

November 07, 2019

Fugue announced the release of the Fugue Best Practices Framework to help cloud engineering and security teams identify and remediate dangerous cloud resource misconfigurations that aren’t addressed by common compliance frameworks.

November 06, 2019

Red Hat and the Quarkus community announced Quarkus 1.0.

November 06, 2019

Copado announced its Winter 20 release to provide Salesforce customers the fastest path to continuous innovation.

November 06, 2019

Applause announced its new solution for AI training and testing.

November 05, 2019

Broadcom announced an expanded collaboration with Infosys to help SAP customers mitigate risks and costs associated with the upgrade to SAP’s next-generation enterprise resource planning application, S/4HANA.

November 05, 2019

Opsani AI is now generally available for services providers running on Microsoft's Azure cloud computing platform.

November 05, 2019

Wind River announced the release of its latest version of Wind River Simics.

November 04, 2019

Red Hat announced the latest release of Red Hat Process Automation, unveiling new applied artificial intelligence (AI) capabilities for predictive decision modeling, and support for the development of process- and decision-based business applications using micro-frontend architectures.

November 04, 2019

JFrog announced the availability of the JFrog Platform package Cloud Pro X in the Microsoft Azure Marketplace.

November 04, 2019

Volterra​, a provider of distributed cloud services, launched from two years of stealth operations with over $50 million in funding to date.

October 31, 2019

Redgate this month celebrated its 20th anniversary as a software company dedicated to creating advanced database development solutions ...

October 31, 2019

Tidelift announced integration with the Bitbucket code collaboration platform.

October 31, 2019

Rancher Labs announced that The Cloud Native Computing Foundation (CNCF) has accepted the company’s vendor-neutral container storage solution - Longhorn - as its latest Sandbox project.