Make WAAP Interesting Again by Quantifying Operational Efficiency and Secure by Design. – Source: securityboulevard.com

The adoption of the cloud is the biggest driver of the DevOps development process. Before cloud, waterfall (80’s to late 90’s) and agile (2000 to late 2000’s) were the most prominent development processes. Each re-enforces their own specific application architecture, namely N-Tier and Monolithic. Each required very specific kinds of deployment and packaging using a physical server and/or virtual environment. Hosted infrastructure was the precondition for such deployment and packaging. This was a costly venture from a resource utilization point of view, namely skilled labor and capital expenditure in hardware.

Just as old ways of doing things give away to new things, such as Leibnitzian physics gave to Newtonian and Newtonian to relativistic model, these monolithic and N-tier architectures gave way to microservices which had APIs (Application Programming Interfaces).

APIs are primarily a mechanism to access, retrieve and work on data without having to understand in intricate details about how such operations are implemented from different coding paradigms point of view. In other words, APIs promote abstraction.

What security practitioners didn’t quickly realize was that due to a massive shift in application architecture, driven by the prolific growth of cloud deployments, data-only attacks came earlier than one would have expected. Data only attacks compromise the integrity of the data by modifying the data, which is different from manipulating code execution flow directly or indirectly. Dev and Ops were aligned quickly, giving way to DevOps, but a crucial element of security came later because the DevSecOps conversation didn’t happen soon enough in the organizational board room. From a risk management point of view, suddenly, data and access to it have become extremely important without anybody realizing it. N-tier and Monolithic architecture also dealt with data, but the architecture gave the illusion of abstraction in such a way that programming languages were front and center, and programmers were the sexiest beasts to roam in the office corridor.

The eventual alignment of Dev, Ops, and security practioners, and an understanding of the need to maintain the integrity of the data fostered the growth of API security products in the marketplace in hope of providing risk mitigation stemming from data-only attacks. Businesses are particularly interested in the ability to enforce control and promote the design of safe APIs. Some platform as a service (PaaS) providers use API gateways to address this safety issue, while others promote safe and effective API designs that can be pushed across delivery vehicles such as gRPC and REST API. With Edge and fog computation on the rise, driven by the proliferation of IoT, toy-cars and everything else along those lines, APIs seemed to be the preferred choice of information exchange.

SecureIQLab has concluded a groundbreaking WAAP test that validates web application firewalls and API security in a comprehensive way that is unparalleled by any other test organization. True to SecureIQLab’s mission statement to test, quantify, and innovate, the assessment puts operational efficiency at the heart of this evaluation as it pertains to WAAP solutions when they are deployed, managed, used, and re-architected in the cloud.

SecureIQLab is the first to validate and rate WAPP solutions for “secure by design.” Enterprises, users, and security practitioners can get piece of mind with secure by design rated technology from a risk management point of view. SecureIQLab performed assessments on the design of WAAP solutions across the following 11 areas.

1. Configuration and Deployment Management Testing
2. Identity Management Testing
3. Authentication Testing
4. Authorization Testing
5. Session Management Testing
6. Input Validation Testing
7. Testing for Error Handling
8. Testing for Weak Cryptography
9. Business Logic Testing
10. Client-side Testing
11. API Security testing

As one can see, the above represents WAAP solution’s ability to handle core functions such as Identity management, business logic, session management, and so forth. These assessments are invaluable to determining the security of WAAP system design, and are crucial to security practitioners for evaluating risk management. Granted, it’s utopian to expect a complex system to be completely secure by itself, i.e., independent from the environment and the interactor working on such systems.

The biggest driver of the secure by design lifecycle is the accelerated rate of vulnerabilities being exploited in the wild. These numbers don’t provide an encouraging view. Then again, numbers can also mislead. Any attempt made to paint the picture of vulnerability analysis via CVE (Common Vulnerabilities and Exposure) is highly incomplete. Incomplete because not all the vulnerabilities were reported, not all were supposedly equal, and responses to vulnerabilities were not reliably documented by everyone in a manner that directly correlates to fixing bugs, which could potentially lead to product improvement. Designing the security of complex systems such as a WAAP must be part of the holistic design of the system. This directs thoughts toward a better security mindset. If a system is poorly designed, however effective it may be from a threat mitigation point, it will bring perfectly foreseeable risk at some point in time. CISA (Cyber Infrastructure Security Agency) is promoting the secure by design concept, and this is a step in the right direction. We at SecureIQLab, in our past lives as well as current ones, are big proponents of the security of the security system itself. Some of us have published such analysis in the past to educate practitioners and vendors. SecureIQLab has adopted an approach of vulnerability assessment from the system design point of view and has rated these solutions in our Comparative Test Report, as well as the effectiveness of such systems when they have to deal with cyber-attacks.

Having said that, we have put operational efficiency at the forefront of product assessment, validation, testing, and quantification. The metrics gathered from such assessments help organizations to laser focus on their core businesses rather than spending valuable time deriving operational efficiency metrics by themselves. Excellent operational efficiency can increase security by decreasing complexity.

-SecureIQLab