November 11, 2013 By Diana Kelley 3 min read

Shrek: “Onions have layers. Ogres have layers. Onions have layers. You get it? We both have layers.”

Donkey: “Oh, you both have LAYERS. Oh. You know, not everybody like onions. What about cake? Everybody loves cake!” 1

In the first “Shrek” film, the characters of Donkey and Shrek have a discussion about Ogres having layers, like onions and cakes. Meaning that there’s more to them than what first meets the eye. This is true in the realm of IT security too.

While there’s no shortage of vendors hawking the latest and greatest security tool as a solution to many, if not all, security challenges, the reality is that only a layered approach will work. But what kind of layers are we talking about? And where does application security fit in? And how do software and hardware interact in a layered approach? The answer to that is a little tricky and depends on your point of view.

In the traditional OSI model (Open Systems Interconnection ISO/IEC 7498-1), applications are listed as the highest layer of the stack and when speaking about applications they’re often described as the “top layer.”

But anyone that’s worked on application security and is familiar with the OWASP Top Ten can tell you that software and application interact or have impact on all of the Host layers and in some cases even the Network layer itself.

Thinking of a complex IT architecture we have another view of where applications sit in the layered model. They run on mobile devices like PC, tablets and smartphones and reside behind network devices like firewalls and intrusion prevention systems (IPS) and in front of data stores like relational databases and unstructured data repositories like in the illustration below.

Talk to someone who develops applications or works with developers on a daily basis and we have yet another view of applications – as the largest tier of the IT “cake” that serves as the base for all of the activity and transactions that are built on top of it. Make that tier strong and able to support the other layers and the overall security program will be more effective. Build a weak base layer and the whole system will crumble.

The reason that software security is so important is that all IT systems and devices run on software. Firewalls are often referred to as “network devices” – but they’re running software. That database? It’s software too. And the operating system running the phone you play “Candy Crush Saga”2 on? Software. Identity management systems and SIEM consoles are all software applications that someone, or many many someones, wrote and tested for functionality, but may not have tested for security vulnerabilities or ability to withstand hacks by attackers.

This is why, for a holistic and comprehensive approach to security of all IT systems, we recommend looking at software and application security first for the applications you build and the commercial off the shelf (COTS) systems and devices that you buy.

Ogres and networks have layers, like a cake. And like with a cake, if the layers are out of balance and one of the critical tiers is breached, the strength of the entire structure is weakened and could crumble. But if all of the layers are strong, even if an attacker infiltrates one layer, the rest of the structure should be able to stand securely. So, in a world of imperfect security controls, one defined largely by software, it’s critical to take code level security seriously. Why? Because at some point, you might be counting on that software when other security controls have been misconfigured or subverted.

 

1 “Shrek,” 2001 motion picture, distributed by Dreamworks Pictures.

2 “Candy Crush Saga” is produced by game manufacturer King.

 

More from Application Security

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today