As web applications become the core of business functions, application protection takes an ever more important role in protecting those applications, their availability and the customer data that is processed through them.
However, as its importance grows, the domain of application security is also growing in depth and complexity, with a unique set of attacks, tools and mechanisms available to mitigate attacks. As a consequence, it is becoming a dedicated discipline within cybersecurity, distinct from other domains or specializations.
The implication of this development is that successful web application security programs require not just dedicated tools to protect against all types of various attacks, but also dedicated people who specialize in application security and hold sufficient knowledge and expertise to properly protect applications.
Below are the top 4 reasons why web application protection is now a dedicated discipline within cybersecurity. Included, as well, are the proficiencies required of application security professionals to ensure they are providing high levels of protection.
Reason #1: Greater Domain Expertise
One of the great challenges of web application protection is that application security is not a standalone topic. It straddles multiple domains within cybersecurity and computing. To understand application security, one must understand applications. And to understand applications, one must possess a deep understanding across computing and IT (information technology). Some of these topics include:
- Networks: how they are designed, built, configured and protected.
- Applications development: how applications are developed and architected, including the technologies used to build them. Also, the development process, which stakeholders are involved and how they are rolled out.
- Application capabilities: what is the business function of the application, including its key capabilities and how users interact with it.
- Cloud computing: web applications are now deployed in the cloud, so it’s important to understand cloud deployments, including public, private and hybrid clouds.
- Kubernetes and microservices: how microservices (specifically Kubernetes) work, how they are managed, their deployment lifecycle and how they differ from traditional application design.
It is no surprise that finding qualified staff who possess this level of knowledge is no easy task.
Reason #2: A Bigger, More Complex Attack Landscape
In addition to how applications are built and implemented, a key requirement in application security is understanding the threats that today’s modern applications face. As a result, it is crucial to have a deep understanding of application attacks, attack vectors and emerging threats.
This includes an understanding of web application attacks, including bot attacks, API attacks and vulnerabilities, application-layer (L7) DDoS attacks and supply chain and client-side attacks, which are becoming more prevalent.
For each of these vectors, it is important to understand how they are planned and executed, including how they are distinct from other attack vectors and their impact to application security.
Reason #3: Broader Set of Tools
As the list of application threats has expanded, so has the list of tools available and required for application protection. Therefore, it is necessary to maintain an in-depth understanding of security tools and mechanisms.
Application security today is more than just WAF (web application firewall). It includes bot protection, application-layer (L7) DDoS protection, API security, client-side protection, and more. Application security professionals must know all these tools, how they work, what they do and don’t cover and how to use all these tools together to create a comprehensive protective armor around modern applications.
Since applications are a core part of the business, application security professionals need to understand not just how to deploy these tools and implement security policies, but also how to tailor them to understand legitimate user behavior patterns of the application’s users, eliminate false-positives and review logs and analytics to identify potential security vulnerabilities.
Reason #4: Impact Across the Business
Finally, since applications are a core focus of the business, a key requirement in application protection is to understand how application security impacts the overall business, including its impact on the company’s bottom line.
There is an inherent tension between security and agility even though application security is recognized as essential. Many business teams want to be as agile and flexible as possible, and able to work without any constraints. But security, by definition, is about imposing constraints so that malicious activity does not get through. So, while security is recognized as essential, web application security is an inhibitor or showstopper for certain organizational business units, such as DevOps, marketing, cloud operations, and more.
The challenge is how to maintain state-of-the-art application protection while remaining as frictionless as possible and not imposing operational or technical challenges that may impact the company’s bottom line.
Therefore, it is essential for web application security professionals to have that level of knowledge and experience. They need to be cognizant of how application security impacts existing business and technology processes and how to minimize friction while maintaining a high level of web application protection.
As web applications increasingly become the focal point through which an organization’s business is done, application protections take an increasingly more important role. However, the growing complexity of this domain, which transcends network, infrastructure, security and business concerns, means that web application protections are rapidly becoming a unique and dedicated discipline within the greater domain of cybersecurity. For organizations, this means they need to have the appropriate staff, skills sets and tools to be able to fully protect themselves against the range of web application attacks.
If you would like to speak with one of the experienced, tenured cybersecurity professionals at Radware, you can reach out to them here. They would love to hear from you.
If you’re going to attend the RSA Conference in San Francisco on April 24-27, make sure and stop by the Radware booth (#2139). Meet with our team of experts and take your cybersecurity to the next level. Better yet, you can set up an appointment with them here.
What is the best way to study for work in this area?
I totally agree with these 4 reasons.