Software security myth #1: Perimeter security can secure your applications
Q: Can perimeter security secure my applications? A: Perimeter security is one tool in your security toolkit, but it’s far less effective in the cloud.
How well does the perimeter security approach secure applications?
Perimeter security was designed to protect an internal network from the mysterious unknown of countless malicious users by selectively stopping network traffic coming in and out of the theoretically-protected network. Perimeter security has evolved over the years to include firewalls (and the extremely limited web application firewalls (WAFs)), security information and event management (SIEM) products and products that monitor the operating environment in real time.
While these systems are a worthy investment and can effectively shield the hustle and bustle of creativity and innovation within your network, they do nothing to secure the actual software you rely on. Perimeter security protects the broken stuff from the bad people with a thing placed at the perimeter.
Perimeter security originated in feudal times
Today’s computer and network security mechanisms are like the city walls, moats and drawbridges of feudal times. These perimeter security measures were implemented to deter and block disturbances from interfering with the goings-on inside. At one point, this may have been an effective way to defend against isolated attacks mounted on horseback. Once the attacker is spotted, simply raise the drawbridge to deny entrance.
While perimeter security is a good basic security precaution, a few things have changed since the heyday of the feudal system. As attack strategies have become more advanced in the past, say, 500+ years, a moat, city wall and drawbridge are no competition for those who want to break in to collect the big prize that lies within the perimeter. Today’s attackers have access to things like predator drones and laser-guided missiles! The modern castle requires quite a bit more protection against attacks these days than a moat and drawbridge of years past.
Feudal systems are a thing of the past—for a reason
Due to more advanced threats, we must make sure our modern day castles—or should we say data, software and networks—are protected by more than just perimeter security measures. More importantly, instead of securing broken software against attack, why don’t we just build software that’s not broken? That’s what software security is all about; building security into your software as it is being developed. Take measures to build secure software throughout the software development life cycle (SDLC).
Building secure software means arming developers with tools and training, reviewing software architecture for flaws, checking code for bugs and performing real security testing before release.
The ultimate goal is to drill down into resolving the vulnerabilities and build things properly from a security perspective. When discussing information security, a firewall is still useful once the software is secure, and should most definitely be deployed. It’s your organization’s front line of defense. It’s basic insurance.
Perimeter security as an all-powerful answer? Not even close.
The biggest challenge in security over the past two decades has been the dissolution of the perimeter. Massively distributed applications take advantage of the cloud’s efficiency; in doing so, these applications are working diligently to eradicate perimeters. Firewalls, WAFs, and SIEMs are very difficult to deploy and maintain effectively without a perimeter. As the cloud becomes more utilized, perimeter security will become less effective, just as the antiquated feudal security measures. Additionally, protecting non-broken stuff from intruders is a better strategy, from a network security perspective, than to be in the position of protecting broken stuff.
Creating software without taking measures to keep your internal data, and the data of your users, safe from intrusion defies the best practices of software development and software security. But what measures are companies throughout various industries taking to ensure their data is safe? The Building Security In Maturity Model (BSIMM) is working to answer this question by measuring software security initiatives of 128 participating firms. How does your organization measure up?
Perimeter security as an all-powerful solution is indeed a myth. While it acts as an organization’s first line of defense, it’s not the one true answer to security. After all, perimeter security isn’t protecting the software an organization counts on. It’s just the first of seven common misconceptions that are often held as gospel within software security best practices.
