Why Firewalls Fail to Protect Applications
October 03, 2019

Manish Gupta
ShiftLeft

In the first blog of this series, I discussed what would it take to insert security into DevOps and arrived at the helpful mnemonic SECURIDY to capture the key requirements. As a continuation of that blog, I thought it would be valuable to take some of the popular technologies and measure them against this framework to see which are still well-suited for today's world of DevOps, as well as which fall short and why.

Let's start with the security product that organizations spend most of security budgets on — firewalls.

In a private local-area network (LAN), where all important resources were within the LAN (data center, employee machines, etc.), it made sense to create a protective moat between your LAN and the world outside. While you wanted everyone within your LAN to be able to access anything outside (with some restrictions), it clearly didn't make sense to allow everyone on the outside to be able to access the resources within the LAN.

But the world of SaaS (Software-as-a-Service) turns this model upside down. The application(s) are inherently designed to be available to anyone and everyone outside on 443/HTTPS — which is the source of most cyberattacks.

Based on our model of SECURIDY, let's see where firewalls fail. Remember, the focus is on protecting applications and not end users.

Security (S)

Security (S) has to be fast: Here, we aren't talking throughput and latency, for that is definitely where firewalls and some of the other network security devices shine. Instead, we are talking about operational speed. For example, if you are releasing hourly, can you adjust the policies of the security devices hourly or even better automate it?

Again, this isn't feasible with network security devices. Some aspects, such as what rules apply to all applications (e.g., block all access other than 443/HTTPS) can be automated, but anything more requires significant human effort. In traditional LAN networks, the rules and policies that would get modified once a week or once a month now need to happen hourly. This gets a respectable 2 out of 10.

Exact (E)

Exact (E): This is the bane of security, even in traditional networks, which is why there is all this talk of not having enough trained people to look at the alerts created by the security devices. This is necessary for protecting end user machines where the end user has to (perhaps debatable) access various resources and in doing so, gets infected (e.g., spear phishing).

But for applications, we don't have to repeat the same mistakes. Applications are code that we write, and they are written to do something specific, regardless of the richness of their feature functionality. We have a great opportunity to make security for these applications "exact," so we are not adding more alerts to the already monstrous pile our infrastructure security solutions create every hour, every day. On a scale of 1-10, this gets at best a 2.

application centric (C)

Security has to be application centric (C): We use firewalls in our private data centers where we keep our applications to ensure that no one from outside our organization can reach these "private" applications. We also use firewalls to ensure that even employee access is controlled — after all, not everyone needs to have access to every application.

But in SaaS, as we have seen earlier, applications are inherently available to be accessed by everyone. And each application's attack surface is unique, down to the version number of the application. Creating firewall rules — a network-based device — to cater to the attack surface of each application just isn't feasible. It's like protecting a castle using fences when the enemy has planes — landing it at 0 out of 10.

unique (U)

Security has to be unique (U) to each application, each microservice: This is where a firewall — or for that matter, any network security device including Intrusion Detection Systems and web application firewalls — fails miserably. From one version of an application to another, as developers add or subtract functionality, an application's attack surface is changing.

Network security devices are completely blind to these changes. At best, they can continue to do what they do regardless of the application (let alone the application's version) and shift the onus to you on what is relevant and irrelevant in what they detect. On a scale of 1-10, in a firewall's ability to meet the demand of unique security, let's give it a 2.

System of Record (R)

System of Record (R), i.e., understanding whether your security posture is improving or deteriorating as you develop newer versions of the applications: The world of infrastructure security devices is oblivious to the contents of an application so can't help there. This gets a 0 out of 10.

innovation (I)

Scalable with the pace of innovation (I): Infrastructure or network security devices demand they be present in front of every application you want to protect. Hard to do that and be scalable. This gets a 1 out of 10.

developers (D)

Security needs to appeal to developers (D). This is where the concept of "shifting left" is important. Developers are where the application development starts — they are at the left edge of the application continuum. Firewalls (or other network security devices) are deployed once the application is in production. Never the twain shall meet — a 0 out of 10.

functionality (Y)

Business is driven by new functionality (Y): Again, focusing on the infrastructure, and not the application itself becomes a bane of existence for network security solutions. Whether you are innovating at the pace of a snail or at the pace of a cheetah, to network security devices there is no difference. You have to configure them, tune them, edit their policies, and review the alerts created.

So, they are not driven by new functionality, they are instead driven by "you." Can you tune these devices at the pace at which you are adding new functionality? Didn't think you could. Let's score this a 1 out of 10.

As we sum up the scores, we can score the firewalls and network security devices a 11 out of a possible max of 80 in our SECURIDY measurement. Not even a passing grade! Network security has a very important role in our LANs given the diverse, ever-changing nature of employees joining and leaving, and controlling who should be able to access what. But to protect applications that we develop, we can do far better.

Keep an eye on my column as we explore more security products and score them against the SECURIDY framework.

Manish Gupta is CEO at ShiftLeft
Share this

Industry News

January 14, 2021

Oracle is making its popular APEX low-code development platform available as a managed cloud service that developers can use to build data-driven enterprise applications quickly and easily.

January 14, 2021

Parasoft announced its C/C++test update to support IAR Systems' build tools for Linux for Arm.

January 14, 2021

Harness raised $115 million in financing, reaching a valuation of $1.7 billion in just three years after launching from stealth.

January 13, 2021

Slim.ai launched with its cloud-based DevOps automation platform built specifically for software developers.

January 13, 2021

WhiteSource announced new WhiteSource Advise support for JetBrains' PyCharm and WebStorm integrated development environments (IDEs).

January 12, 2021

Red Hat has added new features to Red Hat Runtimes.

January 11, 2021

KubeSphere announced its expanded relationship with AWS to offer KubeSphere as an AWS Quick Start.

January 07, 2021

Red Hat announced its intent to acquire StackRox

January 07, 2021

Cigniti Technologies announced a partnership with Sonatype to help enterprise customers innovate faster and easily mitigate security risk inherent in open source.

January 07, 2021

Lacework announced a $525 million growth round with a valuation of over $1 billion.

January 06, 2021

BMC announced several new capabilities and enhancements for the BMC Automated Mainframe Intelligence (AMI) and Compuware portfolios that enable BMC mainframe customers to protect uptime and availability, defend the mainframe against cybersecurity threats, and advance enterprise DevOps.

January 06, 2021

Sysdig has achieved Service Organization Control (SOC) 2 Type II compliance for the Sysdig Secure DevOps Platform.

January 05, 2021

Allegro AI announced a rebranding of its key product Allegro Trains as ClearML.

January 05, 2021

Acryl unveiled a pilot service for Jonathan, an integrated AI platform that can be used in a variety of industries with a spectrum of users from non-experts to professional developers.

January 05, 2021

Weaveworks announced a $36.65 million Series C funding round.