Shrek: “Onions have layers. Ogres have layers. Onions have layers. You get it? We both have layers.”

Donkey: “Oh, you both have LAYERS. Oh. You know, not everybody like onions. What about cake? Everybody loves cake!” 1

In the first “Shrek” film, the characters of Donkey and Shrek have a discussion about Ogres having layers, like onions and cakes. Meaning that there’s more to them than what first meets the eye. This is true in the realm of IT security too.

While there’s no shortage of vendors hawking the latest and greatest security tool as a solution to many, if not all, security challenges, the reality is that only a layered approach will work. But what kind of layers are we talking about? And where does application security fit in? And how do software and hardware interact in a layered approach? The answer to that is a little tricky and depends on your point of view.

In the traditional OSI model (Open Systems Interconnection ISO/IEC 7498-1), applications are listed as the highest layer of the stack and when speaking about applications they’re often described as the “top layer.”

But anyone that’s worked on application security and is familiar with the OWASP Top Ten can tell you that software and application interact or have impact on all of the Host layers and in some cases even the Network layer itself.

Thinking of a complex IT architecture we have another view of where applications sit in the layered model. They run on mobile devices like PC, tablets and smartphones and reside behind network devices like firewalls and intrusion prevention systems (IPS) and in front of data stores like relational databases and unstructured data repositories like in the illustration below.

Talk to someone who develops applications or works with developers on a daily basis and we have yet another view of applications – as the largest tier of the IT “cake” that serves as the base for all of the activity and transactions that are built on top of it. Make that tier strong and able to support the other layers and the overall security program will be more effective. Build a weak base layer and the whole system will crumble.

The reason that software security is so important is that all IT systems and devices run on software. Firewalls are often referred to as “network devices” – but they’re running software. That database? It’s software too. And the operating system running the phone you play “Candy Crush Saga”2 on? Software. Identity management systems and SIEM consoles are all software applications that someone, or many many someones, wrote and tested for functionality, but may not have tested for security vulnerabilities or ability to withstand hacks by attackers.

This is why, for a holistic and comprehensive approach to security of all IT systems, we recommend looking at software and application security first for the applications you build and the commercial off the shelf (COTS) systems and devices that you buy.

Ogres and networks have layers, like a cake. And like with a cake, if the layers are out of balance and one of the critical tiers is breached, the strength of the entire structure is weakened and could crumble. But if all of the layers are strong, even if an attacker infiltrates one layer, the rest of the structure should be able to stand securely. So, in a world of imperfect security controls, one defined largely by software, it’s critical to take code level security seriously. Why? Because at some point, you might be counting on that software when other security controls have been misconfigured or subverted.


1 “Shrek,” 2001 motion picture, distributed by Dreamworks Pictures.

2 “Candy Crush Saga” is produced by game manufacturer King.


More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read