Why Firewalls Fail to Protect Applications
October 03, 2019

Manish Gupta
ShiftLeft

In the first blog of this series, I discussed what would it take to insert security into DevOps and arrived at the helpful mnemonic SECURIDY to capture the key requirements. As a continuation of that blog, I thought it would be valuable to take some of the popular technologies and measure them against this framework to see which are still well-suited for today's world of DevOps, as well as which fall short and why.

Let's start with the security product that organizations spend most of security budgets on — firewalls.

In a private local-area network (LAN), where all important resources were within the LAN (data center, employee machines, etc.), it made sense to create a protective moat between your LAN and the world outside. While you wanted everyone within your LAN to be able to access anything outside (with some restrictions), it clearly didn't make sense to allow everyone on the outside to be able to access the resources within the LAN.

But the world of SaaS (Software-as-a-Service) turns this model upside down. The application(s) are inherently designed to be available to anyone and everyone outside on 443/HTTPS — which is the source of most cyberattacks.

Based on our model of SECURIDY, let's see where firewalls fail. Remember, the focus is on protecting applications and not end users.

Security (S)

Security (S) has to be fast: Here, we aren't talking throughput and latency, for that is definitely where firewalls and some of the other network security devices shine. Instead, we are talking about operational speed. For example, if you are releasing hourly, can you adjust the policies of the security devices hourly or even better automate it?

Again, this isn't feasible with network security devices. Some aspects, such as what rules apply to all applications (e.g., block all access other than 443/HTTPS) can be automated, but anything more requires significant human effort. In traditional LAN networks, the rules and policies that would get modified once a week or once a month now need to happen hourly. This gets a respectable 2 out of 10.

Exact (E)

Exact (E): This is the bane of security, even in traditional networks, which is why there is all this talk of not having enough trained people to look at the alerts created by the security devices. This is necessary for protecting end user machines where the end user has to (perhaps debatable) access various resources and in doing so, gets infected (e.g., spear phishing).

But for applications, we don't have to repeat the same mistakes. Applications are code that we write, and they are written to do something specific, regardless of the richness of their feature functionality. We have a great opportunity to make security for these applications "exact," so we are not adding more alerts to the already monstrous pile our infrastructure security solutions create every hour, every day. On a scale of 1-10, this gets at best a 2.

application centric (C)

Security has to be application centric (C): We use firewalls in our private data centers where we keep our applications to ensure that no one from outside our organization can reach these "private" applications. We also use firewalls to ensure that even employee access is controlled — after all, not everyone needs to have access to every application.

But in SaaS, as we have seen earlier, applications are inherently available to be accessed by everyone. And each application's attack surface is unique, down to the version number of the application. Creating firewall rules — a network-based device — to cater to the attack surface of each application just isn't feasible. It's like protecting a castle using fences when the enemy has planes — landing it at 0 out of 10.

unique (U)

Security has to be unique (U) to each application, each microservice: This is where a firewall — or for that matter, any network security device including Intrusion Detection Systems and web application firewalls — fails miserably. From one version of an application to another, as developers add or subtract functionality, an application's attack surface is changing.

Network security devices are completely blind to these changes. At best, they can continue to do what they do regardless of the application (let alone the application's version) and shift the onus to you on what is relevant and irrelevant in what they detect. On a scale of 1-10, in a firewall's ability to meet the demand of unique security, let's give it a 2.

System of Record (R)

System of Record (R), i.e., understanding whether your security posture is improving or deteriorating as you develop newer versions of the applications: The world of infrastructure security devices is oblivious to the contents of an application so can't help there. This gets a 0 out of 10.

innovation (I)

Scalable with the pace of innovation (I): Infrastructure or network security devices demand they be present in front of every application you want to protect. Hard to do that and be scalable. This gets a 1 out of 10.

developers (D)

Security needs to appeal to developers (D). This is where the concept of "shifting left" is important. Developers are where the application development starts — they are at the left edge of the application continuum. Firewalls (or other network security devices) are deployed once the application is in production. Never the twain shall meet — a 0 out of 10.

functionality (Y)

Business is driven by new functionality (Y): Again, focusing on the infrastructure, and not the application itself becomes a bane of existence for network security solutions. Whether you are innovating at the pace of a snail or at the pace of a cheetah, to network security devices there is no difference. You have to configure them, tune them, edit their policies, and review the alerts created.

So, they are not driven by new functionality, they are instead driven by "you." Can you tune these devices at the pace at which you are adding new functionality? Didn't think you could. Let's score this a 1 out of 10.

As we sum up the scores, we can score the firewalls and network security devices a 11 out of a possible max of 80 in our SECURIDY measurement. Not even a passing grade! Network security has a very important role in our LANs given the diverse, ever-changing nature of employees joining and leaving, and controlling who should be able to access what. But to protect applications that we develop, we can do far better.

Keep an eye on my column as we explore more security products and score them against the SECURIDY framework.

Manish Gupta is CEO at ShiftLeft
Share this

Industry News

August 06, 2020

Push Technology announced the launch of a new Kafka Adapter for their Diffusion Intelligent Data Mesh.

August 06, 2020

Appvia announced the launch of its Cost Prediction and Visibility tool, integrated within the latest version of its Kore platform.

August 06, 2020

LogiGear announced the newest addition to the TestArchitect™ family, TestArchitect Gondola.

August 05, 2020

Logz.io announced a partnership with HashiCorp, a provider in multi-cloud infrastructure automation software.

August 05, 2020

Digitate, a software venture of Tata Consultancy Services, announced the release of ignio™ AI.Assurance, an autonomous assurance product that enables enterprises to deliver better software faster, enhancing their business performance.

August 05, 2020

Harness acquired self-service Continuous Integration firm Drone.io, the creator of the open-source project Drone.

August 04, 2020

Aqua Security announced that its Cloud Native Security Platform is available through Red Hat® Marketplace, an open cloud marketplace that makes it easier to discover and access certified software for container-based environments across the hybrid cloud.

August 04, 2020

Threat Stack announced the availability of Threat Stack Container Security Monitoring for AWS Fargate.

August 04, 2020

OpenLogic by Perforce now provides an enterprise-class alternative to Oracle Java by offering OpenJDK distributions backed by OpenLogic support.

August 03, 2020

MuseDev launched on Github Marketplace the Early Access version of its code analysis platform, Muse, to help developers find and fix critical security, performance, and reliability bugs, efficiently, before they reach QA or production.

August 03, 2020

Styra announced Rego Policy Builder for the Styra Declarative Authorization Service (DAS).

August 03, 2020

Felicis Ventures has invested an additional $5M in Sourcegraph, bringing the total raised to over $46M, including a $23M Series B in March 2020 led by Craft Ventures.

July 30, 2020

New Relic delivered strategic updates to New Relic One.

July 30, 2020

IT Revolution announced the DevOps Enterprise Summit Las Vegas 2020 will be going virtual.

July 30, 2020

Adaptavist announced the acquisition of Go2Group, a US technology firm specializing in Agile and DevOps services and cloud solutions for the enterprise.