Application Security 101: The Lowdown
But what is application security exactly and what is its role in the enterprise? While most users have a very concrete understanding of most standard security measures, such as antivirus, firewalls and intrusion prevention, the definition of application security seems to be a bit more nebulous, if not more misunderstood, with the emergence of Web 2.0 and the explosion of social, interactive and streaming media.
So here’s a bit of a tutorial.
Application security refers to the security mechanisms that provides control of Web applications, content and users– pretty much everything that happens at the application layer–in an organization. Done well, application security enables fine-grained policy control, deep visibility into the content users are accessing and increased protection against threats.
Essentially application security provides three basic functions: identifying the traffic to determine if its a threat, monitoring the traffic to assess the risk and nature of the threats and impose granular controls on apps and features within the apps.
Monitoring should allow users to visualize trends, threats and behaviors in their network to find ways to create appropriate blocks or defenses. The detailed analysis, provided by reporting mechanisms, should include how and why the apps are being used and users’ behavior and identity.
Any application security solution worth its salt should entail granular control of all apps and features, including categories of apps, individual apps and actions within apps. Granular control should also be extended to users or groups of users based on their role within an organization (e.g. the janitor wouldn’t have the same online access as the CEO), and also be applied to varying types of traffic—with the ability to block and limit access to certain sites based on policy.
Subsequently, application security also allows administrators to control and block certain functions on Web applications. For example, application security technology might allow users to access Facebook, but block Farmville and Mafia Wars. Or it might block access to eBay entirely except during the lunch hour.
Meanwhile, the need for Web application security is more imperative than ever, thanks in no small part to the plethora of interactive social and streaming media, as well as the proliferation of third-party apps on Websites.
And while the need to detect threats over porn, gambling and spam sites is great, perhaps some of the biggest—and least detectable threats—are compromises to legitimate Websites. A major news site became a victim of such an attack when an advertising network was infected by a malicious Flash advertisement, which compromised the editorial pages. The malware directed users to a malicious site that downloaded fake antivirus software onto their systems.
“Legitimate Websites have multiple links within that site. In a typical newspaper Website, the ‘Comments’ section is coming from anybody in the world and a lot of times it shows Facebook icons and hence links to other sites,” says Kevin Flynn, Fortinet senior marketing manager. “You’re never that far away from potentially harmful content.”
Overall, application security solutions aim to protect content and block a myriad of threats, such as botnets and malicious worms, that are distributed to a network via applications delivered over TCP Port 80.
Malicious threats regularly enter and spread on a network through TCP Port 80 via HTTP, Toredo, TPS over DNS and VPN, as well as non-Web applications such as BitTorrent. In addition, TCP Port 80 can lead to malicious content. Oftentimes the threats come in under the radar, evading detection with SSL encryption that masks the incoming threat, port hopping, polymorphic code that mutates every time its detected and HTTP tunneling.
“It’s all happening at the app layer and it’s all happening through Port 80,” Flynn says.