Why Firewalls Fail to Protect Applications
October 03, 2019

Manish Gupta
ShiftLeft

In the first blog of this series, I discussed what would it take to insert security into DevOps and arrived at the helpful mnemonic SECURIDY to capture the key requirements. As a continuation of that blog, I thought it would be valuable to take some of the popular technologies and measure them against this framework to see which are still well-suited for today's world of DevOps, as well as which fall short and why.

Let's start with the security product that organizations spend most of security budgets on — firewalls.

In a private local-area network (LAN), where all important resources were within the LAN (data center, employee machines, etc.), it made sense to create a protective moat between your LAN and the world outside. While you wanted everyone within your LAN to be able to access anything outside (with some restrictions), it clearly didn't make sense to allow everyone on the outside to be able to access the resources within the LAN.

But the world of SaaS (Software-as-a-Service) turns this model upside down. The application(s) are inherently designed to be available to anyone and everyone outside on 443/HTTPS — which is the source of most cyberattacks.

Based on our model of SECURIDY, let's see where firewalls fail. Remember, the focus is on protecting applications and not end users.

Security (S)

Security (S) has to be fast: Here, we aren't talking throughput and latency, for that is definitely where firewalls and some of the other network security devices shine. Instead, we are talking about operational speed. For example, if you are releasing hourly, can you adjust the policies of the security devices hourly or even better automate it?

Again, this isn't feasible with network security devices. Some aspects, such as what rules apply to all applications (e.g., block all access other than 443/HTTPS) can be automated, but anything more requires significant human effort. In traditional LAN networks, the rules and policies that would get modified once a week or once a month now need to happen hourly. This gets a respectable 2 out of 10.

Exact (E)

Exact (E): This is the bane of security, even in traditional networks, which is why there is all this talk of not having enough trained people to look at the alerts created by the security devices. This is necessary for protecting end user machines where the end user has to (perhaps debatable) access various resources and in doing so, gets infected (e.g., spear phishing).

But for applications, we don't have to repeat the same mistakes. Applications are code that we write, and they are written to do something specific, regardless of the richness of their feature functionality. We have a great opportunity to make security for these applications "exact," so we are not adding more alerts to the already monstrous pile our infrastructure security solutions create every hour, every day. On a scale of 1-10, this gets at best a 2.

application centric (C)

Security has to be application centric (C): We use firewalls in our private data centers where we keep our applications to ensure that no one from outside our organization can reach these "private" applications. We also use firewalls to ensure that even employee access is controlled — after all, not everyone needs to have access to every application.

But in SaaS, as we have seen earlier, applications are inherently available to be accessed by everyone. And each application's attack surface is unique, down to the version number of the application. Creating firewall rules — a network-based device — to cater to the attack surface of each application just isn't feasible. It's like protecting a castle using fences when the enemy has planes — landing it at 0 out of 10.

unique (U)

Security has to be unique (U) to each application, each microservice: This is where a firewall — or for that matter, any network security device including Intrusion Detection Systems and web application firewalls — fails miserably. From one version of an application to another, as developers add or subtract functionality, an application's attack surface is changing.

Network security devices are completely blind to these changes. At best, they can continue to do what they do regardless of the application (let alone the application's version) and shift the onus to you on what is relevant and irrelevant in what they detect. On a scale of 1-10, in a firewall's ability to meet the demand of unique security, let's give it a 2.

System of Record (R)

System of Record (R), i.e., understanding whether your security posture is improving or deteriorating as you develop newer versions of the applications: The world of infrastructure security devices is oblivious to the contents of an application so can't help there. This gets a 0 out of 10.

innovation (I)

Scalable with the pace of innovation (I): Infrastructure or network security devices demand they be present in front of every application you want to protect. Hard to do that and be scalable. This gets a 1 out of 10.

developers (D)

Security needs to appeal to developers (D). This is where the concept of "shifting left" is important. Developers are where the application development starts — they are at the left edge of the application continuum. Firewalls (or other network security devices) are deployed once the application is in production. Never the twain shall meet — a 0 out of 10.

functionality (Y)

Business is driven by new functionality (Y): Again, focusing on the infrastructure, and not the application itself becomes a bane of existence for network security solutions. Whether you are innovating at the pace of a snail or at the pace of a cheetah, to network security devices there is no difference. You have to configure them, tune them, edit their policies, and review the alerts created.

So, they are not driven by new functionality, they are instead driven by "you." Can you tune these devices at the pace at which you are adding new functionality? Didn't think you could. Let's score this a 1 out of 10.

As we sum up the scores, we can score the firewalls and network security devices a 11 out of a possible max of 80 in our SECURIDY measurement. Not even a passing grade! Network security has a very important role in our LANs given the diverse, ever-changing nature of employees joining and leaving, and controlling who should be able to access what. But to protect applications that we develop, we can do far better.

Keep an eye on my column as we explore more security products and score them against the SECURIDY framework.

Manish Gupta is CEO at ShiftLeft
Share this

Industry News

March 27, 2023

Octopus Deploy announced the results KinderSystems has seen working with Octopus. Through the use of Octopus, KinderSystems automates its software deployment processes to meet the complex needs of its customers and reduce the time to deploy software.

March 27, 2023

Elastic Path announced Integrations Hub, a library of instant-on, no-code integrations that are fully managed and hosted by Elastic Path.

March 27, 2023

Yugabyte announced key updates to YugabyteDB Managed, including the launch of the YugabyteDB Managed Command Line Interface (CLI).

March 23, 2023

Ambassador Labs released Telepresence for Docker, designed to make it easy for developer teams to build, test and deliver apps at scale across Kubernetes.

March 23, 2023

Fermyon Technologies introduced Spin 1.0, a major new release of the serverless functions framework based on WebAssembly.

March 23, 2023

Torc announced the acquisition of coding performance measurement application Codealike to empower software developers with even more data that increases skills, job opportunities and enterprise value.

March 23, 2023

Progress announced a free online training and certification program for Progress® OpenEdge®, the flagship Progress application development platform.

March 22, 2023

Opsera announced five patents have been issued to enable enterprise engineering leaders and teams to gain unprecedented end-to-end visibility into their software delivery and accelerate the speed and security of delivery, all while maximizing their investment.

March 22, 2023

DuploCloud announced the general availability of its on-prem solution built on top of Kubernetes, focusing on containerized workloads with near term plans to integrate with on-prem compute, storage and networking vendors.

March 22, 2023

Postman announced the general availability of Postman Flows, a visual tool for creating API applications. Postman Flows simplifies building software by using APIs as the building blocks, allowing anyone to produce workflows, integrations, and automations in a collaborative environment without needing to write a single line of code.

March 22, 2023

SecureAuth announced an alliance partnership with HashiCorp®, enabling organizations to leverage SecureAuth’s advanced passwordless authentication and Multi-Factor Authentication (MFA) device recognition.

March 22, 2023

Backslash Security, a new cloud-native application security solution for enterprise AppSec teams, emerged from stealth.

March 21, 2023

OpenText launched the latest version of ValueEdge -- an innovative modular, cloud-based DevOps and value stream management (VSM) platform.

March 21, 2023

Oracle announced the availability of Java 20, the latest version of the programming language and development platform.

March 21, 2023

Rafay Systems introduced Environment Manager, a solution that empowers enterprise platform teams to improve the developer experience by delivering self-service capabilities for provisioning full-stack environments.