Why Firewalls Fail to Protect Applications
October 03, 2019

Manish Gupta
ShiftLeft

In the first blog of this series, I discussed what would it take to insert security into DevOps and arrived at the helpful mnemonic SECURIDY to capture the key requirements. As a continuation of that blog, I thought it would be valuable to take some of the popular technologies and measure them against this framework to see which are still well-suited for today's world of DevOps, as well as which fall short and why.

Let's start with the security product that organizations spend most of security budgets on — firewalls.

In a private local-area network (LAN), where all important resources were within the LAN (data center, employee machines, etc.), it made sense to create a protective moat between your LAN and the world outside. While you wanted everyone within your LAN to be able to access anything outside (with some restrictions), it clearly didn't make sense to allow everyone on the outside to be able to access the resources within the LAN.

But the world of SaaS (Software-as-a-Service) turns this model upside down. The application(s) are inherently designed to be available to anyone and everyone outside on 443/HTTPS — which is the source of most cyberattacks.

Based on our model of SECURIDY, let's see where firewalls fail. Remember, the focus is on protecting applications and not end users.

Security (S)

Security (S) has to be fast: Here, we aren't talking throughput and latency, for that is definitely where firewalls and some of the other network security devices shine. Instead, we are talking about operational speed. For example, if you are releasing hourly, can you adjust the policies of the security devices hourly or even better automate it?

Again, this isn't feasible with network security devices. Some aspects, such as what rules apply to all applications (e.g., block all access other than 443/HTTPS) can be automated, but anything more requires significant human effort. In traditional LAN networks, the rules and policies that would get modified once a week or once a month now need to happen hourly. This gets a respectable 2 out of 10.

Exact (E)

Exact (E): This is the bane of security, even in traditional networks, which is why there is all this talk of not having enough trained people to look at the alerts created by the security devices. This is necessary for protecting end user machines where the end user has to (perhaps debatable) access various resources and in doing so, gets infected (e.g., spear phishing).

But for applications, we don't have to repeat the same mistakes. Applications are code that we write, and they are written to do something specific, regardless of the richness of their feature functionality. We have a great opportunity to make security for these applications "exact," so we are not adding more alerts to the already monstrous pile our infrastructure security solutions create every hour, every day. On a scale of 1-10, this gets at best a 2.

application centric (C)

Security has to be application centric (C): We use firewalls in our private data centers where we keep our applications to ensure that no one from outside our organization can reach these "private" applications. We also use firewalls to ensure that even employee access is controlled — after all, not everyone needs to have access to every application.

But in SaaS, as we have seen earlier, applications are inherently available to be accessed by everyone. And each application's attack surface is unique, down to the version number of the application. Creating firewall rules — a network-based device — to cater to the attack surface of each application just isn't feasible. It's like protecting a castle using fences when the enemy has planes — landing it at 0 out of 10.

unique (U)

Security has to be unique (U) to each application, each microservice: This is where a firewall — or for that matter, any network security device including Intrusion Detection Systems and web application firewalls — fails miserably. From one version of an application to another, as developers add or subtract functionality, an application's attack surface is changing.

Network security devices are completely blind to these changes. At best, they can continue to do what they do regardless of the application (let alone the application's version) and shift the onus to you on what is relevant and irrelevant in what they detect. On a scale of 1-10, in a firewall's ability to meet the demand of unique security, let's give it a 2.

System of Record (R)

System of Record (R), i.e., understanding whether your security posture is improving or deteriorating as you develop newer versions of the applications: The world of infrastructure security devices is oblivious to the contents of an application so can't help there. This gets a 0 out of 10.

innovation (I)

Scalable with the pace of innovation (I): Infrastructure or network security devices demand they be present in front of every application you want to protect. Hard to do that and be scalable. This gets a 1 out of 10.

developers (D)

Security needs to appeal to developers (D). This is where the concept of "shifting left" is important. Developers are where the application development starts — they are at the left edge of the application continuum. Firewalls (or other network security devices) are deployed once the application is in production. Never the twain shall meet — a 0 out of 10.

functionality (Y)

Business is driven by new functionality (Y): Again, focusing on the infrastructure, and not the application itself becomes a bane of existence for network security solutions. Whether you are innovating at the pace of a snail or at the pace of a cheetah, to network security devices there is no difference. You have to configure them, tune them, edit their policies, and review the alerts created.

So, they are not driven by new functionality, they are instead driven by "you." Can you tune these devices at the pace at which you are adding new functionality? Didn't think you could. Let's score this a 1 out of 10.

As we sum up the scores, we can score the firewalls and network security devices a 11 out of a possible max of 80 in our SECURIDY measurement. Not even a passing grade! Network security has a very important role in our LANs given the diverse, ever-changing nature of employees joining and leaving, and controlling who should be able to access what. But to protect applications that we develop, we can do far better.

Keep an eye on my column as we explore more security products and score them against the SECURIDY framework.

Manish Gupta is CEO at ShiftLeft
Share this

Industry News

February 27, 2020

Datadog announced an integration with Nessus from Tenable.

February 27, 2020

Talend announced the Winter ‘20 release of Talend Data Fabric.

February 27, 2020

Alcide announced that the Alcide Kubernetes Security Platform now supports compliance scans for PCI and GDPR, enabling DevOps to deliver regulatory compliance checks rapidly and seamlessly alongside Alcide’s leading Kubernetes security capabilities.

February 26, 2020

Perforce Software released a free tool for organizations considering open source software - OpenLogic Stack Builder.

February 26, 2020

Applause announced a new partnership with Infosys to provide broader end-to-end digital experience testing services to clients.

February 26, 2020

RapidMiner announced the release of its platform enhancement, RapidMiner 9.6. This update prioritizes people – not technology – at the center of the enterprise AI journey, providing new, unique experiences to empower users of varying backgrounds and abilities.

February 25, 2020

JFrog announced the availability of the "JFrog Platform," a hybrid, multi-cloud, universal DevOps platform.

February 25, 2020

Nureva added new agile canvas templates to Span Workspace, including a heat map developed by Jeff Sutherland, the co-creator of Scrum and founder of Scrum Inc. and Scrum@Scale.

February 25, 2020

Agiloft announced the addition of its new Agiloft AI Engine, complete with prebuilt AI Capabilities for contract management and an open AI integration that allows customers to incorporate custom-built AI tools into the no-code platform.

February 24, 2020

Cloudify announced that its latest product update - Cloudify version 5 - features an Environment as a Service component, designed to achieve consistent delivery and management of hybrid-cloud services and network infrastructures across CI/CD pipelines - at scale.

February 24, 2020

Checkmarx announced new enhancements to its Software Security Platform to empower more seamless implementation and automation of application security testing (AST) in modern development and DevOps environments.

February 24, 2020

Rapid7 and Snyk announced a strategic partnership to deliver end-to-end application security to organizations developing cloud native applications.

February 20, 2020

The American Council for Technology and Industry Advisory Council (ACT-IAC), the premier public-private partnership dedicated to advancing government through the application of information technology, officially announced the release of the DevOps Primer.

It was produced through a collaborative, volunteer effort by a working group from government and industry, hosted by the ACT-IAC Emerging Technology Community of Interest (COI).

February 20, 2020

DLT Solutions, a subsidiary of Tech Data, launched the Secure Software Factory (SSF), a framework that provides the U.S. public sector with consistent development and deployment of high-quality, scalable, resilient and secure software throughout an application’s lifecycle.

February 20, 2020

Netography announced the general availability of the company’s Security Operations Platform.