While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in a self-service manner are becoming increasingly popular.
I’ve always found it entertaining that so many sales pitches are essentially a listing of features for the product or service being sold. The reason I find this entertaining is that for anyone who has worked on the customer side or has ever listened to customers, it is obvious that customers buy solutions, not products. Thus, the notion of showing off how proud you are of your product by rattling off a laundry list of features has always seemed a bit odd to me.
In other words, customers have a number of different problems, issues, and challenges that they are looking to solve. They are not necessarily interested in all of the different things your product or service can do. Rather, they are interested in learning how your solution can help them address their strategic priorities and move forward on the goals they have set for their security and fraud problems. It is incumbent upon vendors to understand that and to make it easy for potential customers to understand that mapping.
Along those lines, improving application security is a common goal customers have. As you might imagine, any solution geared towards improving the security of an application is going to be complex, consisting of many different moving parts. Thus, forcing customers to hunt for the components they need within your product data sheets and overviews is not going to be an effective way to convince those customers that you have a solution they might be in the market for.
So what can vendors do to convince customers that they have a solution worth that customer’s time to evaluate? For starters, they can bundle various features into use cases that can be easily demonstrated to, evaluated, and consumed by customers. Along those lines, what would a bundle around the popular application security protection use case look like?
While not an exhaustive list, here are some thoughts:
- App Proxy: Putting a proxy in front of applications is perhaps one of the most basic application security requirements, and for good reason. Having an intermediary allows us to inspect and monitor traffic going to and from the application, as well as to block or filter as necessary for security purposes.
- Rate Limiting and Fast Access Control Lists (ACLs): Flooding a site is an old standby of attackers. It is a primitive, yet effective tactic. Rate limiting is a relatively straightforward way to prevent this type of attack. Similarly, fast-performing Access Control Lists (ACLs) are another effective way to keep unwanted traffic at bay.
- Path Discovery: Applying machine learning (ML) to traffic transiting the environment allows us to track the rate of requests, the identity of clients accessing applications, the size of the payloads being sent, and other important telemetry elements. Using ML allows us to identify and block nefarious traffic before it becomes a more serious issue – often in minutes as opposed to hours.
- Web Application Firewall: WAF has become a required technology for application providers and should be included as a part of any application security bundle.
- L3/L4/L7 DDoS: DDoS protection has also become a requirement for application providers and should also be included as part of any application security bundle.
- Bot Defense: Advanced bots that know how to get around the defenses listed above can cause application providers monetary loss and reputation damage. As such, bot defense should also be included as part of an application security bundle.
- Auto-Certificates: Speed of deploying applications is essential for remaining competitive, as is speed of protecting those applications. The ability to auto-issue certificates and to auto-register DNS for resources saves time, allowing application providers to go from no protection to full protection in a matter of minutes.
- Malicious User Detection: Another great application for machine learning (ML) is quickly understanding which users and patterns appear to be behaving maliciously. This is something that often takes application providers hours or days to identify. With ML, this can be done in minutes, allowing those application providers to quickly take action and block/mitigate.
- URI Routing: The ability to quickly and easily control where certain requests are routing gives application providers the ability to block/control specific endpoints (URIs). No application security solution would be complete without this important feature.
- Service Policies: Quick and easy policy deployment is a must for application security. The ability to chain together service policies as needed based on requirements, along with the ability to generate custom rules for steering traffic or allowing/denying traffic beyond the capabilities of the other defensive capabilities is another essential part of the total application security package.
- Synthetic Monitors: How are applications performing externally? What are my customers experiencing? These are important questions that synthetic monitors allow a business to answer, which can quickly identify any issues that might affect the application.
- TLS Fingerprinting and Device Identification: While IP addresses change frequently, TLS fingerprints and device identifiers change much more rarely. Thus, basing policies and rules on them rather than IP address makes a lot of sense when it comes to application security.
- Cross-Site Request Forgery Protection: Scripts that operate cross-site can cause serious problems for application providers. Thus mitigating the risk they present should be part of any application security bundle as well.
Securing applications is a top priority for nearly all businesses. While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in a self-service manner are becoming increasingly popular. These bundles inform application providers and allow them to make better, more informed decisions to improve security posture without introducing unnecessary friction to the end-user.