More and more companies interact with customers via digital channels, making the digital customer experience they provide a critical component of business success1. A crashed or poorly performing application will negatively impact customer confidence and drive up customer churn. Software has to be resilient to a broad range of potential disruptions to avoid these scenarios.
Of course, this places an unprecedented amount of responsibility and pressure on IT Operations and DevOps teams. They have to maintain software availability and functionality, and optimize the performance of customer facing applications – all while deploying faster. The move toward rapid development and deployment models, such as Agile and DevOps, has increased the need for continuous visibility, monitoring and analysis of applications during development and at runtime2.
Resilience of software has become more critical than ever before
The need for resilience is therefore at an all-time high and IT Operations teams typically focus on the following key levers to maintain it3:
- Application acceleration
- Load balancing
- Overall performance management
Where is security? Attacks on live applications are a leading cause of outages, disrupt functionality and affect performance. So, while security is a key component of resilience, it is not on the above list of levers. It is usually an after-thought or perceived to be solely the responsibility of Information Security. One of the main reasons for that is, historically, IT Operations teams were not equipped with tools to continuously monitor applications at a granular level3.
Monitoring the security of a running application has been a game based on guessing and "Hope"
Until recently, we knew next to nothing about the security state inside a running application – unless developers built in custom logging. Without security visibility, security pros would typically:
- Hope the developers wrote secure code
- Harden the platform (e.g., OS, server, container) that the application is running on and hope nothing gets through
- Deploy an edge device (e.g., IPS, WAF) and hope blocking suspicious traffic is sufficient
- Hope your SOC finds the attack in time
- Hope that your incident response team can respond effectively
- Hope you have talented enough software engineering resources to fix an exploited vulnerability in code
Enter Application Security Monitoring
The advent of Application Security Monitoring (ASM) provides IT Operations and Security teams unprecedented visibility and control over the security of the application layer.
Operations teams already use similar tools for monitoring performance of the running application: Application Performance Management (APM) solutions such as AppDynamics, Dynatrace or New Relic. These telemetry products use an agent-based technology to instrument the running application and measure performance.
ASM solutions leverage the same technology to monitor security aspects of the application.
"We were searching for developer-oriented technologies like New Relic and AppDynamics for application for security….Contrast emerged as the most exciting."
Extending APM technology to monitor security
According to Gartner, Application Security Monitoring (ASM) and APM technologies often have a common architectural approach with respect to how they perform their primary functions2. ASM solutions, like Contrast, use agent-based technology to instrument applications and monitor security aspects of applications in production environments. Application Security Monitoring agents that gather security-relevant data and analyze it for indications of breaches are a logical adjacency to APM tools and provide many benefits to Operations teams2.
ASM solutions fill the visibility gap that current Security & Operations teams experience when monitoring production applications for attacks. Since agents reside inside the application, they provide deep and granular visibility into the running application’s security state. Compare that with edge solutions (like an Intrusion Prevention System (IPS) or Web Application Firewall (WAF)) that detect at the perimeter: so there is no visibility into whether the application is truly vulnerable, only “black box” data on application communications.
In addition to application layer visibility, Application Security Monitoring offer these key advantages over legacy tools:
Performance & Stability: Edge solutions fundamentally add latency to applications because of the added network hops and traffic scan time. Well architected Application Security Monitoring agents, however, only add negligible latency even at scale.
Deployment: ASM agents offer rules that are functional out of the box. IPS and WAF products, on the other hand, require setup of rules that need constant adjustment and coordination with network teams to ensure they see the right traffic.
Scalability: ASM solutions are portable, so applications can be protected anywhere they are deployed. And, they don’t require reconfiguration when new code is deployed. On the other hand, IPS and WAF products need to be tuned with each new code deployment, which is far from ideal in DevOps environments. In addition, if applications move or infrastructure changes occur, edge solutions need to be re-deployed, or special cloud-ready solutions need to be brought online.
Application Security Monitoring products are like Application Performance Monitoring solutions: They bring a much-needed level of visibility to the world of continuous integration and continuous deployment of software. They beat out edge technologies like WAF and IPS in delivering insight into the security state of production applications, and also in terms of scalability and cloud-readiness. Application Security Monitoring solutions are destined to be a critical tool in the DevOps toolchain for organizations who need to optimize digital customer experience – which is virtually every organization today.