You're Doing It Wrong

posted on Tuesday, August 26, 2008 5:01 AM

Don and I were discussing security as a service and, as usual, he spouted off some wisdom in the form of an analogy that was too good to not to share.

When you're walking down the street with your entourage and an angry, I mean really angry, man steps out in front of you with a lead pipe where should your bodyguard be?

Yeah, that was my thought, too. He should be in front of me to stop the threat before I have to react. Even though the threat may not hit me if the bodyguard is beside me because he manages to reach out and grab the lead pipe before it lands a blow, I've probably expended unnecessary resources avoiding or flinching or cringing or screaming like a school girl at the action. Resources I didn't need to waste. I might even be (gasp) sweating from the exertion. And what a terrible faux pas for someone who can afford an entourage and a bodyguard to sweat in public.

Basically, if I get hit by that lead pipe or I expend effort avoiding being hit or even momentarily look like something out of an Edvard Munch painting, my bodyguard is fired because he wasn't doing his job. He's doing it wrong.

That's the difference between security as a service when provided by a web application firewall and security as a service when implemented as an internal, software service solution. The WAF is inline, in front of the application, preventing that lead pipe from damaging the application. The application never has to expend unnecessary resources or sweat in public (wasted CPU/memory utilization/connections) when the security is deployed in front of the application.

If you're thinking, "Hey, what's that really gonna do? Waste a couple milliseconds? Pshaw! No one will notice!" then you need to go now and read this post on latency. Really - go now. I'll wait.

Threat defense is necessarily defensive. And the best defense is a good offense; one that is proactive rather than purely reactive. That means acting before the threat truly becomes a threat. Allowing a threat to reach the application before it's been identified and filtered out is certainly better than doing nothing, but stopping it before it gets near the application is even better.

Technorati Tags: macVittie,f5,security,application security,waf,inline,services

Posted In: Web 2.0, Security, Development and General,

4 Comments

Feedback

8/26/2008 10:02 AM
		Lori, what a waste a body guard is during daily life. Really, all bodyguards do is look tough and get you through crowds faster and for that privilege, you pay a lot of money and maintenance. The question I have, though, is will a body guard really goto the mat for you? Unless their life is in danger, what is their motivation to risk this life and limb fending off an attacker. Besides, what happens if a well placed kick in the cahones or kneecap leaves your well paid, beefy body guard, crying like a little girl on the pavement? Now there you are standing unguarded and the target of the next swing from the lead pipe wielding whacko. A more effective strategy is to learn self-defense so that you don't need a body guard except in special situations. You don't have to be a kung-fu master to fend off an attack, but you do have to know what your capabilities are and how to execute them. Same is true for application security. While some app security stuff can be done effectively and efficiently in the network, like protocol and schema validation, D/DoS mitigation, etc, the rest is better done in the application where the business logic resides. The app developers know what inputs should be acceptable, what accesses users and roles should have, and what permissions should be required in a multi-step process. The web app firewall doesn't. The web app firewall has to be told what to do with each new app and each change to existing apps. So some one should build in the "security" stuff somewhere in the architecture, and it belongs tightly coupled with the application logic, not divorced from it.
Mike Fratto

8/26/2008 10:58 AM
		Mike, Mike, Mike... ;-) "A more effective strategy is to learn self-defense so that you don't need a body guard except in special situations." Self-defense against which attack? Yesterday's? Today's? Tomorrow's? The analogy isn't perfect, mind you, as application threats require specific countering moves whereas general self-defense can work against many types of attacks. Even so, when you're taught self-defense they specifically teach you "This move works against this type of attack." So you have to not only know the defense, but how to recognize the attack. "The web app firewall has to be told what to do with each new app and each change to existing apps." And the application has to change to defend against every new threat. Unlike a WAF, this requires new code, testing, and redeployment. That's a brittle system that incurs additional costs and, unfortunately, the potential for introducing more errors due to changes in code. And yeah, for us a bodyguard is pretty useless. But for people who might be targets is it? How many threats are stopped simply because those bodyguards exist? And how many would succeed if there was no bodyguard... Application logic security, yes. General data scrubbing/input validation/etc...? That's not logic, that's essentially schema. Easy for a WAF to handle and leaves the application developer without the burden of needing to learn every attack there is and how to counter it. There's room for both strategies, and they can complement and augment each other.
Lori MacVittie

8/26/2008 7:46 PM
		One other thing - the body guard in front and the body guard in back have to know each other and be on the same team - they must have trained together and know their respective roles. Our data center guys tell us that their IDS is frequently tripped by their own customers that figured they didn't need to tell them about an application-level security modification.
Richard Petersen

8/27/2008 4:28 AM
		@Richard Great point! I wonder how that's going to work out "in the cloud"?
Lori MacVittie

Let Me Know What You Think

Please use the form below if you have any comments, questions, or suggestions.

Title:

Name:

Email: (so we can show your gravatar)

Website:

Comment: Allowed tags: blockquote, a, strong, em, p, u, strike, super, sub, code

Remember Me?

Enter the code shown above:

Please add 4 and 7 and type the answer here:

		General SOA
		SOA Delivery
		Randomness
		Web 2.0
		Security
		iRules
		iControl
		Development and General
		Monitoring/Management
		XML
		ISV Solutions
		Microsoft Solutions
		Performance
		Cloud Computing
		Virtualization
		WILS
		Infrastructure 2.0
		F5 Friday
		Data Center Feng Shui
		Dynamic Infrastructure
		Load balancing
		Service Providers
		1024 Words
		v10.2.2
		v11
		JSON
		HTML5
		Mobile
		iApp
		Availability
		Storage
		DDoS
		AppSec
		TradSec
		Marketing Madness

		February, 2012 (6)
		January, 2012 (13)
		December, 2011 (9)
		November, 2011 (12)
		October, 2011 (14)
		September, 2011 (14)
		August, 2011 (16)
		July, 2011 (12)
		June, 2011 (14)
		May, 2011 (12)
		April, 2011 (16)
		March, 2011 (16)
		February, 2011 (12)
		January, 2011 (14)
		December, 2010 (12)
		November, 2010 (14)
		October, 2010 (14)
		September, 2010 (13)
		August, 2010 (13)
		July, 2010 (18)
		June, 2010 (22)
		May, 2010 (22)
		April, 2010 (19)
		March, 2010 (23)
		February, 2010 (20)
		January, 2010 (17)
		December, 2009 (16)
		November, 2009 (20)
		October, 2009 (22)
		September, 2009 (21)
		August, 2009 (25)
		July, 2009 (18)
		June, 2009 (20)
		May, 2009 (20)
		April, 2009 (21)
		March, 2009 (23)
		February, 2009 (17)
		January, 2009 (19)
		December, 2008 (17)
		November, 2008 (18)
		October, 2008 (27)
		September, 2008 (32)
		August, 2008 (31)
		July, 2008 (30)
		June, 2008 (33)
		May, 2008 (30)
		April, 2008 (24)
		March, 2008 (5)
		February, 2008 (4)
		January, 2008 (8)
		December, 2007 (5)
		November, 2007 (6)
		October, 2007 (3)
		September, 2007 (5)
		August, 2007 (7)
		July, 2007 (7)
		June, 2007 (5)
		May, 2007 (11)
		April, 2007 (9)
		March, 2007 (7)
		February, 2007 (10)
		January, 2007 (5)
		December, 2006 (4)
		November, 2006 (8)