The onset of the pandemic in 2020 saw an unimaginable shift to the digital world, where millions dived into cyberspace both as users and service providers. With restrictions imposed on physical mobility across the globe, even non-tech-savvy individuals had to plunge into the digital world just to stay connected with family and friends. The frequency and the number of financial transactions being executed online presented a massive opportunity for cybercriminals.
In an interview with, Gregg Ostrowski, Executive CTO at Cisco AppDynamics, Minu Sirsalewala, Editorial Consultant, CISO MAG, discussed how ransomware attackers and cybercriminals increasingly exploit vulnerabilities caused by gaps in rapid digital transformation. And how increased use of applications, driven by the pandemic, has changed the way application security is viewed. Security sits on top of the total application experience.
Ostrowski is an Executive CTO at AppDynamics, part of Cisco. He engages with customer senior leadership to help prioritize their strategy for digital transformation. Prior to AppDynamics, Ostrowski held senior leadership positions at Samsung and Research in Motion.
Excerpts from the interview follow:
Can you explain why Application Security has gained so much importance in the past year?
In the world we live in today, applications have become critical to our daily lives; they are critical to us and companies or organizations we work with. To help attract new customers, retain customers, and keep them happy, they need to create rapid development cycles. As they needed to innovate quickly, they started introducing different cloud technologies.
With the expansion of the existing infrastructure – which typically runs on premise – it has sprawled to include additional cloud components or additional dependencies for that application. So, what you’re seeing is a sprawl of the overall application topology or the application map that makes all these things work. With all these different dependencies and the need for speed to deliver applications, going with an application security approach or application first security really helps our customers stay ahead of the game and understand what’s happening from a security perspective across all the dependencies of that application. For companies looking to build rapidly, attract new customers and ensure the desired user experience, security needs to be placed in the application first type mentality.
This enables businesses to understand the application stack from a user experience, performance, and security perspective as security affects users more than performance, and a security threat is highly detrimental to the brand.
Is there something called beyond Layer 7 security? If so, what is it?
That is a really interesting question. The OSI, as we know, has 7 layers, and the 7th layer is the Application Layer; everything underneath is a dependency for that application all the way and goes down to the physical servers (Physical Layer).
I wouldn’t necessarily consider a layer beyond seven, but security must be the critical component of every step along the way. So, each piece is going to be implementing security. Be it Denial of Service (DoS) attacks or threat detection, or intrusion detection where application security comes in, it brings all the components together and allows full visibility of the entire layer from a security perspective. I wouldn’t call it beyond Layer 7; rather it is an evolution of how security fits into the overall OSI model.
How can we use Cisco Secure Application to detect and block threats in real time?
The AppDynamics — the product overall has an agent-based model that runs in the runtime of the application. We have included the security, the Cisco secure application within the runtime of the application. This enables us to analyze and understand what’s happening, not just for performance, but also how it is being ineffective by any kind of security threats or vulnerabilities.
And we do that by being able to pull in data from public resources and some proprietary resources that run a list of the current threats and vulnerabilities. So, there is a real-time alert pop-up with tracking that shows where the security threat is happening. We did an application stack, and once a threat is found, we can simply alert and send out a notification to the security teams and the application. And as a preventive measure, we can go down and block that component of the application from becoming more detrimental to the business. This enables both teams – the application teams and the security teams – to collaborate on how to really address the threat.
For example, if there is a web server that’s running a version 2.5 and the version 2.7 happens to have a threat, it can notify the customer that an upcoming version of one of your components of the application stacks has an upcoming vulnerability, so they can address it before it hits the production servers.
Prioritizing and classifying data is key to data management. How can organizations prioritize threats by business impact?
One of the key fundamental aspects of AppDynamics is being able to present it in the business context. We can use our AI capabilities to provide the insights to stack rank on how these threats are coming in and which is the most critical to the business, thereby allowing a window for the IT teams to know which ones to go out and fix.
A good example would be a payment service that affects multiple applications, as the way apps were built, multiple tasks are performed in a shared service type model. Most of these deployed applications run in a microservice-type architecture. So here, the payment services are the most valuable piece to the business, as it is directly tied to the business revenue. Using the AI, we can prioritize the detection and fixing of the threat for the payment service application in comparison to other threats that were coming in and were picked up by Cisco security.
How beneficial is the Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) approach?
I think it is definitely beneficial. When one implements application security testing before the application goes to production, you are putting security in the process of your CI/CD pipeline. As security testing is done pre-production, the Cisco secure application monitors the application while it is running in production.
It is best to move through the scanning process while you are building the application, ensuring security is part of the CI/CD pipeline.
AppSec is a focus area for CISOs with the increasing incidents of data breach. How can DevSecOps help mitigate the security risks and enhance application security?
There is a need to start thinking and bringing teams together and collaborating amongst all aspects of the application development. I strongly believe CISOs need a seat at the table. When one goes through the development cycle, the DevSecOps model, you want to make sure that security is built into the application from the word go. The CISOs role is to look at what new advancements and capabilities need to be incorporated from the security aspect.
When an organization starts focusing on building applications that drive a high-end user experience and performance, the CISO ensures that the application is secure. Their role is not limited to ensuring the latest security technologies but also driving innovations or new user experiences along with security.
DevSecOps is a very, very strong growth trend in the industry. If organizations are not embracing it, it is highly recommended that they consider building some practice that helps with security within their DevOps.
Learnings from the Facebook outage?
This is truly an example of that anybody and everybody could be vulnerable. Though I have not been closely tied to the issue at Facebook, from what I have read and understood, there are multiple shared services and how their entire ecosystem was taken out. The sprawling IT infrastructure is causing the same level of concern for a lot of our customers, with multi dependencies and interdependence, neutropenic type environments where risk must be managed, completely or inclusively.
When you have multiple different applications running in a shared service environment, you do not know where to target first and resolve the issue. It is a combination of both performance as well as security; this incident is a validation of the efforts we need to put at viewing every single dependency of the application stack from a business and security perspective. This also includes the infrastructure that is running on-premise or cloud. Most important is to have the right tools and visibility to be able to do their jobs right.
Security recommendations or best practices?
A DevSecOps model is definitely a strong way of getting started. The second one is to ensure the CISOs seat at the table, when it comes to new innovations and new capabilities. Many organizations are working in silos and not communicating enough to focus on the same direction thereby impacting the business. You have the infrastructures team, the network team, the development team all working in silence. This delays delivery and leads to misalignment of the organization. Having everybody on the same page with a common goal for the business helps align your teams a little bit tighter for the greater good of all.
About the Interviewer
Minu Sirsalewala is an Editorial Consultant at CISO MAG. She writes news features and interviews.