The role of "application delivery expert" is really coming into its own of late, along with the understanding that the traditional siloed approach to management of applications in IT no longer makes sense.

TechTarget :: How networking professionals can prove their worth

Jim Metzler [vice president of Ashton, Metzler & Associates] recently worked with NetQoS to survey more than 175 NOC and non-NOC IT professionals about how the evolving role of the NOC affects both network and IT professionals.

Metzler moderated several sessions at Interop that had a single unifying theme: Application delivery is now an issue of critical importance for IT (and consequently network) staff, and successful application delivery depends upon the ability of that staff to transcend technology and organisational silos or "stovepipes."

He found that most NOC staff spend the majority of their time on application delivery and the WAN. "The network operations center is a lot more than networks," Metzler said in a phone interview. "In fact, I think it's a misnomer to use the phrase NOC or 'network' manager or 'network' engineer because the majority of their time is spent on other things."

This odd couple marriage between networking and applications has long been the focus of F5 and is the underlying foundation of solutions such as its Application Ready Networks.

I could write on and on about application delivery and why Mr. Metzler is so very right, but instead you might prefer listening to Forrester analyst Rob Whiteley and F5's Erik Giesa in this 37 minute webcast define Application Delivery Networking and how it solves critical deployment issues, including breaking out of those silos.

Imbibing: Mountain Dew

According to a recent ComputerWorld article, most retailers aren't ready for the forthcoming June deadline for PCI DSS compliance.

From ComputerWorld :: Few expected to make June 30 PCI deadline for Web application security

Most retailers will not meet the June 30 deadline for complying with new Payment Card Industry Data Security Standard (PCI-DSS) requirements for securing web applications. Companies can achieve compliance with either a specialized firewall or web application software code review, which entails finding vulnerabilities and fixing them. Many retailers appear to be opting for firewalls, which are "quick fixes," according to Gartner analyst Aviva Litan. "Application firewalls are a reactive measure. You have a lot of vulnerable applications that still need to be fixed," she added, and noted that scanning for vulnerabilities and fixing them should take precedence over firewalls, and that firewalls should be used in addition to scanning, not instead of it.

PCI DSS affects retailers more than any other business owing to their acceptance of credit cards online for purchases.

The quote in question references section 6.6, a somewhat controversial requirement that allows for vulnerability scans and code review or the implementation of a web application firewall as a means of meeting compliance.

There are several good reasons for implementing a web application firewall aside from meeting PCI DSS compliance. I agree with Aviva's assessment that both vulnerability scanning and web application firewalls together are a good idea, but disagree that firewalls are simply reactive measures and "quick fixes". This perception seems to assume that we're looking at the problem from the viewpoint of a new application, not one that is running in production right now.

Web application firewalls are your first line of defense against new and existing web application threats. They are generally capable of preventing even emerging attacks, and are quickly updated when new threats are discovered. Those deployed in conjunction with or on an extensible application delivery platform provide additional value in the capability to dynamically create policies to address emerging threats or custom threats against your application.

They can CYA (cover your apps) while you find and fix the vulnerabilities, a process that requires development, testing, and redeployment. And while you're going through that process - what's going on with your application? Have you taken it offline because it's vulnerable? Were you aware of the specific attack vector when you developed the application?

No, you probably haven't, especially not if you're in the retail business because if your application is down then you are losing revenue and that's not acceptable. And no, you probably weren't aware of that attack when the app was developed because it hadn't been discovered yet.

But if you've got a web application firewall (WAF) you are likely able to continue running your application, secure in the knowledge that the WAF is going to be able to thwart a wide variety of known attacks while you scan, find, and fix the vulnerabilities in your application whether those are emerging threats or existing ones.

Deploying a WAF doesn't make an organization short-sighted or imply that they aren't going to address any vulnerabilities found in their applications. On the contrary, it implies that an organization is realistic; that it understands that no matter how many vulnerabilities their application is secure against today that a new one is going to appear. Maybe not tomorrow or next week or even next month, but it will appear. And they know their application is not likely to be protected against that brand new attack, neither will they likely be able to address that new attack fast enough to protect their application. They know that a WAF, however,  is likely to updated very quickly, or at least have the means by which a fix can be put into place while they go about updating their application.

Deploying a WAF isn't reactive, it is proactive defense against existing and future threats. It isn't replacing the security sought through vulnerability scanning, it's augmenting and enabling that process while protecting the business' investment in its web presence. That's risk management and proactive security.

Imbibing: Coffee