Could going to your local renaissance festival be an application security work event? Stick with me. Protecting our applications and data draws parallels to military defenses that stand the test of time.
Think of your average castle. It has multiple layers of defenses - a moat; high, thick walls; small windows; guards; different types of weapons to ward off attackers; etc. An attacker looks at the castle, assesses is defenses, and chooses an attack point based on the perceived weakest point. This is a military theory called strategic asymmetry - leveraging your opponent’s weaknesses. As Sun Tzu advises in The Art of War, “where he is strong, avoid him.”
Multiple Security Layers
Our modern application security systems are modeled like castles with multiple layers, attempting to deter attackers because our systems appear too strong, or warding off attacks with superior defenses. We try to think like an attacker to find vulnerabilities. We perform static and dynamic code analysis, enable runtime protection, conduct penetration testing, utilize chaos engineering to test our systems in the real-world, and more.
But our attackers just have to find one hole. They can lob attacks until one hits - like a medieval catapult, which leveraged the major void in a castle’s defenses - the inability to cover everything with a strong roof.
In the modern world, applications are often the portals to what attackers really want - the sensitive data behind our defenses or the internal network.
Connected Feedback Loops
How can organizations harden their defenses against these attacks? Chetan Conikee is the Founder and CTO of ShiftLeft Inc. He presented on connected feedback loops at last year's All Day DevOps conference.
One reason Chetan suggests that applications are the target du jour is that, while we gain efficiencies utilizing third-party libraries and SDKs, we also increase the security complexity. It can give an attacker a foothold into any organization that uses the same code.
The use of microservices, which can also make your applications more efficient and quicker to deploy new services, can fragment data, making it more complex to map data flows and protect the data.
At a high level, what do organizations do to protect applications? Chetan lays out the four dimensions of application security systems:
- Vulnerabilities - defects or weaknesses in systems that can be exercised and result in a security breach or violation of policy
- Attacks - directed against system interface, i.e. attack surface with goal of infringing at least one policy of a system
- Defenses - enforce policies when violation is detected using monitoring, isolation, and obfuscation
- Policies - guarantees that a system can still give despite attacks. Expresses properties in dimensions of confidentiality, integrity, and availability
But attacks are still successful. Where are our defenses failing us? Chetan contends that, “defense in depth has failed us.” It lacks context, has too many false positives, presents questionable relevance, doesn’t clearly prioritize, and there are SIEM architecture limitations.
Humans can’t process all of the alerts and only certain attacks can take advantage of the vulnerabilities. Chetan recommends connected feedback loops. They establish a continuous feedback loop between static (offense) analysis and dynamic (defense) runtime behavior? It builds an estimation model to provide a baseline vulnerable path tracking and uses this model to baseline the dynamic part. You apply inputs onto vulnerable paths and observe them to verify it is acting like you anticipated. This helps you correlate a threat to a vulnerability and reduces false positives.
This is just the tip of the iceberg. Dig into connected feedback loops more with Chetan in his presentation, which you can watch here.
Photo by Dominika Roseclay
Interested in more DevOps? Register for the next All DayDevOps, November 6, 2019.