What do Log4j and the Equifax, Colonial Pipeline, and SolarWinds attacks all have in common? They each happened at the application layer, also known as Layer 7 of the Open Systems Interconnection (OSI) model. The OSI model defines a hierarchical architecture that logically separates the standard functions of computer networking. In general, a layer operates on the data and connectivity enabled by the layers below. The application layer is the seventh and topmost of the layers, and because it is the one that interfaces with the open Internet, it's a rich target for malicious actors who are looking to gain access to your systems and your data.
Let's take the Log4Shell vulnerability, for example. A crucial vulnerability was disclosed just before Christmas 2021 in Log4j, an open source logging library found in Java applications. The exploitability of Log4Shell left systems, passwords, user data, and networks potentially open to exploitation. Since Log4j is a nearly ubiquitous piece of open source logging software in Java applications, and the vulnerability requires very little expertise to exploit, Log4Shell was one of the most severe computer vulnerabilities in years. Organizations around the globe scrambled to implement the fix, and the ramifications continue to be felt nearly a year later.
Vulnerabilities like Log4j are so damaging because the application layer is so valuable. The application layer is where users interface with systems, particularly data systems. The application layer is so valuable because it is the vector for information access.
Users exchange information at the application layer, and this dynamic interchange is what makes it a target for hackers. Finding and exploiting vulnerable code at the application layer means that hackers can access or redirect information from legitimate users to themselves, usually using common vulnerabilities such as cross-site scripting and SQL injection. In addition to hacking the application layer via vulnerable code, hackers use stolen user credentials, brute-force attacks, or session-farming techniques to steal data.
No matter what your business is, every business is now a software business, which is why every business needs to pay attention to application layer security. The vast majority of software development companies, even those that do in-house coding, use significant lines of open source code in their products. If threat actors can find vulnerable but widely adopted open source code, like an unpatched version of Log4j, they can capitalize on it everywhere it is used. This is why it is so important to secure the application layer rather than accept that it will always be a point of failure.
How to Secure the Application Layer
When it comes to securing the application layer, you need a combination of tools to do source code analysis (SCA), static application security testing (SAST), and dynamic application security testing (DAST).
Using these tools across your development cycle will help to secure your code at the application layer. Source code analysis (SCA) tools can detect the open source components of any application or container that allows you to remediate known vulnerabilities before releasing your code. SCA tools also help you compile a complete software bill of materials (SBOM) of the open source and third-party components used to build your applications and containers. Once you have this information, you're prepared to deal with vulnerabilities as they are announced because you will be able to locate where your code base needs remediation.
Static application security testing (SAST) tools help your development and security teams discover code weaknesses early in the SDLC and may even offer plug-ins that deliver coding solutions right to developers in the IDE, so they can find and fix security and quality defects as they write code.
Where SAST tools test code as your teams write it, dynamic application testing (DAST) tools allow you to test your applications from the outside, as they’ll appear to malicious actors. Some DAST tools can even safely scan applications in production without the need for a separate test environment. They then deliver a prioritized list of vulnerabilities, and the guidance to fix them.
Application layer data breaches are expensive in money, development time, and reputational damage. Ensure that you’re securing your application layer with solutions like Black Duck SCA, Coverity SAST, and WhiteHat DAST. By building security into your software as quickly as you code it, you're protecting your bottom line by building trust in your software — at the speed your business demands.
About the Author
Tim Mackey is a Principal Security Strategist within the Synopsys CyRC (Cybersecurity Research Center). He joined Synopsys as part of the Black Duck Software acquisition, where he worked to bring integrated security scanning technology to Red Hat OpenShift and the Kubernetes container orchestration platforms. As a security strategist, Tim applies his skills in distributed systems engineering, mission-critical engineering, performance monitoring, large-scale data center operations, and global data privacy regulations to customer problems. He takes the lessons learned from those activities and delivers talks globally at well-known events such as RSA, Black Hat, Open Source Summit, KubeCon, OSCON, DevSecCon, DevOpsCon, Red Hat Summit, and Interop. Tim is also an O’Reilly Media published author and has been covered in publications around the globe, including USA Today, Fortune, NBC News, CNN, Forbes, Dark Reading, TEISS, InfoSecurity Magazine, and The Straits Times.