Shrek: “Onions have layers. Ogres have layers. Onions have layers. You get it? We both have layers.”
Donkey: “Oh, you both have LAYERS. Oh. You know, not everybody like onions. What about cake? Everybody loves cake!” 1
In the first “Shrek” film, the characters of Donkey and Shrek have a discussion about Ogres having layers, like onions and cakes. Meaning that there’s more to them than what first meets the eye. This is true in the realm of IT security too.
While there’s no shortage of vendors hawking the latest and greatest security tool as a solution to many, if not all, security challenges, the reality is that only a layered approach will work. But what kind of layers are we talking about? And where does application security fit in? And how do software and hardware interact in a layered approach? The answer to that is a little tricky and depends on your point of view.
In the traditional OSI model (Open Systems Interconnection ISO/IEC 7498-1), applications are listed as the highest layer of the stack and when speaking about applications they’re often described as the “top layer.”
But anyone that’s worked on application security and is familiar with the OWASP Top Ten can tell you that software and application interact or have impact on all of the Host layers and in some cases even the Network layer itself.
Thinking of a complex IT architecture we have another view of where applications sit in the layered model. They run on mobile devices like PC, tablets and smartphones and reside behind network devices like firewalls and intrusion prevention systems (IPS) and in front of data stores like relational databases and unstructured data repositories like in the illustration below.
Talk to someone who develops applications or works with developers on a daily basis and we have yet another view of applications – as the largest tier of the IT “cake” that serves as the base for all of the activity and transactions that are built on top of it. Make that tier strong and able to support the other layers and the overall security program will be more effective. Build a weak base layer and the whole system will crumble.
The reason that software security is so important is that all IT systems and devices run on software. Firewalls are often referred to as “network devices” – but they’re running software. That database? It’s software too. And the operating system running the phone you play “Candy Crush Saga”2 on? Software. Identity management systems and SIEM consoles are all software applications that someone, or many many someones, wrote and tested for functionality, but may not have tested for security vulnerabilities or ability to withstand hacks by attackers.
This is why, for a holistic and comprehensive approach to security of all IT systems, we recommend looking at software and application security first for the applications you build and the commercial off the shelf (COTS) systems and devices that you buy.
Ogres and networks have layers, like a cake. And like with a cake, if the layers are out of balance and one of the critical tiers is breached, the strength of the entire structure is weakened and could crumble. But if all of the layers are strong, even if an attacker infiltrates one layer, the rest of the structure should be able to stand securely. So, in a world of imperfect security controls, one defined largely by software, it’s critical to take code level security seriously. Why? Because at some point, you might be counting on that software when other security controls have been misconfigured or subverted.
1 “Shrek,” 2001 motion picture, distributed by Dreamworks Pictures.
2 “Candy Crush Saga” is produced by game manufacturer King.
Executive Security Advisor, IBM Security