Supercharged Application Resilience: Improve Performance with Application Security Monitoring
More and more companies interact with customers via digital channels, making the digital customer experience they provide a critical component of business success1. A crashed or poorly performing application will negatively impact customer confidence and drive up customer churn. Software has to be resilient to a broad range of potential disruptions to avoid these scenarios.
Of course, this places an unprecedented amount of responsibility and pressure on IT Operations and DevOps teams. They have to maintain software availability and functionality, and optimize the performance of customer facing applications – all while deploying faster. The move toward rapid development and deployment models, such as Agile and DevOps, has increased the need for continuous visibility, monitoring and analysis of applications during development and at runtime2.
Resilience of software has become more critical than ever before
The need for resilience is therefore at an all-time high and IT Operations teams typically focus on the following key levers to maintain it3:
- Application acceleration
- Load balancing
- Overall performance management
Where is security? Attacks on live applications are a leading cause of outages, disrupt functionality and affect performance. So, while security is a key component of resilience, it is not on the above list of levers. It is usually an after-thought or perceived to be solely the responsibility of Information Security. One of the main reasons for that is, historically, IT Operations teams were not equipped with tools to continuously monitor applications at a granular level3.
Monitoring the security of a running application has been a game based on guessing and "Hope"
Until recently, we knew next to nothing about the security state inside a running application – unless developers built in custom logging. Without security visibility, security pros would typically:
- Hope the developers wrote secure code
- Harden the platform (e.g., OS, server, container) that the application is running on and hope nothing gets through
- Deploy an edge device (e.g., IPS, WAF) and hope blocking suspicious traffic is sufficient
- Hope your SOC finds the attack in time
- Hope that your incident response team can respond effectively
- Hope you have talented enough software engineering resources to fix an exploited vulnerability in code
Enter Application Security Monitoring
The advent of Application Security Monitoring (ASM) provides IT Operations and Security teams unprecedented visibility and control over the security of the application layer.
Operations teams already use similar tools for monitoring performance of the running application: Application Performance Management (APM) solutions such as AppDynamics, Dynatrace or New Relic. These telemetry products use an agent-based technology to instrument the running application and measure performance.
ASM solutions leverage the same technology to monitor security aspects of the application.
"We were searching for developer-oriented technologies like New Relic and AppDynamics for application for security….Contrast emerged as the most exciting."
John Monagle
General CatalystHear what else John had to say about Contrast in this short video >>
Extending APM technology to monitor security
Extending APM technology to monitor security According to Gartner, Application Security Monitoring (ASM) and APM technologies often have a common architectural approach with respect to how they perform their primary functions2. ASM solutions, like Contrast, use agent-based technology to instrument applications and monitor security aspects of applications in production environments. Application Security Monitoring agents that gather security-relevant data and analyze it for indications of breaches are a logical adjacency to APM tools and provide many benefits to Operations teams2.
ASM solutions fill the visibility gap that current Security & Operations teams experience when monitoring production applications for attacks. Since agents reside inside the application, they provide deep and granular visibility into the running application’s security state. Compare that with edge solutions (like an Intrusion Prevention System (IPS) or Web Application Firewall (WAF)) that detect at the perimeter: so there is no visibility into whether the application is truly vulnerable, only “black box” data on application communications.
In addition to application layer visibility, Application Security Monitoring offer these key advantages over legacy tools:
Performance & Stability: Edge solutions fundamentally add latency to applications because of the added network hops and traffic scan time. Well architected Application Security Monitoring agents, however, only add negligible latency even at scale.
Deployment: ASM agents offer rules that are functional out of the box. IPS and WAF products, on the other hand, require setup of rules that need constant adjustment and coordination with network teams to ensure they see the right traffic.
Scalability: ASM solutions are portable, so applications can be protected anywhere they are deployed. And, they don’t require reconfiguration when new code is deployed. On the other hand, IPS and WAF products need to be tuned with each new code deployment, which is far from ideal in DevOps environments. In addition, if applications move or infrastructure changes occur, edge solutions need to be re-deployed, or special cloud-ready solutions need to be brought online.
Conclusion
Application Security Monitoring products are like Application Performance Monitoring solutions: They bring a much-needed level of visibility to the world of continuous integration and continuous deployment of software. They beat out edge technologies like WAF and IPS in delivering insight into the security state of production applications, and also in terms of scalability and cloud-readiness. Application Security Monitoring solutions are destined to be a critical tool in the DevOps toolchain for organizations who need to optimize digital customer experience – which is virtually every organization today.
- https://newrelic.com/resource/digital-customer-experience-best-practices
- https://www.gartner.com/doc/3692717/application-performance-monitoring-application-security
- http://www.esecurityplanet.com/network-security/application-performance-management-offers-security-benefits.html
- http://www.networkcomputing.com/networking/high-price-it-downtime/856595126
Mahesh Babu
Mahesh leads Product Marketing for Contrast's Application Security Platform at Contrast Security. He takes every opportunity to tell everyone how Contrast has fundamentally changed application security for the first time since he started working in security 10+ years ago. Mahesh has seen the industry evolve as a researcher, consultant, and practitioner within a large bank. He began his career as a security researcher at the CERIAS center at Purdue University. He then went on to build and scale large security & privacy programs a Senior Manager & architect for HSBC Information Security & Risk. He also spent time as a consultant at Deloitte and Booz & Company. Mahesh has a BS in Computer Science and MS in Information Security from Purdue University and an MBA from Duke University.
Loving our content? Subscribe now!
Get the latest application security news, trends, tips and insights content from Contrast directly to your inbox. By subscribing, you will stay up to date with all the latest and greatest from Contrast Security.