Reading Information Security Magazine can be a confusing experience, espcially when you are looking at any security layer that is not network, e.g. identity, application, data and so on. Don't get me wrong there are frequently good articles in the magazine (including Bejtlich's this month), and sadly enough, it is one of the best the sorry field of IT journalism in general and the even sorrier information security journalism field have to offer. This month there is an article on application security that has the encouraging sounding lead in:
Despite perimeter defenses, application code is precariously insecure. Application-layer firewalls, when carefully deployed, can help block attacks.
However, from there we get a mishmash of products that are mainly from network security vendors (and many Information Security advertisers), some of these serve useful purposes, but to say they even begin to address the issue stated above is like saying the TSA guys in the white shirts are making us safe while we are in the sky. Then there is a weird diagram showing application-layer firewalls operating in parallel with stateful firewalls. Apparently, the biggest architectural consideration is whether to put the network firewall or the application-layer firewall in front. Wow, I sort of thought it was a bit more complicated than that.
Some of the main factors in choosing an application-layer firewall listed are price and training. From there we get a table that conglomeration of what can best be described as things that have the word "application" in the marketing materials. Let's do the list - Breach, Secure Software, Application Security, Net Continuum, RATS, SPIKE, F5, Teros, and on and on. Many of the products listed have useful security properties, but they are hardly equivalent. A database vulnerability scanner is pretty distinct from source code analysis tools, for example. One thing they both have in common, though, is that neither is a application-layer firewall, like, say, for example, ModSecurity which is not listed.
Of course, the article is not 100% bad, it does raise a certain amount of awareness, but we are nowhere close to where we need to be as an industry in app, data, and identity security. I think this article is a useful benchmark that shows the relative lack of understanding industry-wide on what are some of the largest security risks we are facing. Not a pretty prospect.
I realize I am being more critical than the article strictly deserves because it really exemplifies where we ae at as an industry more than anything, and the magazine _has_ produced decent app sec articles in the past, like James Foster's. But, we need to move the ball down the field on this stuff, and we need to use the opportunities to educate with precision. This is why efforts like Kim Cameron's Laws of Identity are so valuable, because they enable communication without oversimplifying the topic.
So here is my ask: please cover the app, data, and identity space to the same or deeper degree than you cover the network space. In the meantime, I guess we'll just keep asking: When will we be secure?