Ergon Airlock Header
  • Product presentation
  • Management I
  • Cloud Security
  • Data security / DLP / Know-how protection
  • Industry 4.0 / IoT / Edge Computing
  • Network Security / Patch Management
  • SIEM / Threat Analytics / SOC
  • Trend topic

Application Security - quo vadis?

Application security is more than just a web application firewall. We show you where the journey is going.

6/15/2021 1:45:00 PM – 6/15/2021 2:00:00 PM

Please log in or register in advance so that you can take part in actions or watch videos about the action!

This action is available to the it-sa 365 community as a video.

Ergon Airlock Header
  • Product presentation
  • Management I

Application security is more than just a web application firewall. We show you where the journey is going.

Language: German

Questions and Answers: Yes

Action description

The evolution of web technologies, DevOps and the emergence of container platforms pose great challenges for security managers. This presentation will highlight the most important aspects they will have to face in the future.
The classic web application has had its day
Traditional web applications are increasingly being replaced by modern single-page applications (SPA) or native mobile apps. WAF technologies built to protect simple HTML pages are no longer sufficient. The interaction paradigm between client and server has fundamentally changed down to the transport formats. APIs are becoming the new heart of web applications.
Challenge #1: Who protects all the APIs?
OWASP (the Open Web Application Security Project) is responding to this trend with a new and specialized top ten list for API security, which was first published in late 2019. Because APIs offer a much more direct access to business objects and resources, new risks arise. For example, the authorization of access to objects must not be left to the client. Although SPAs may control access, hackers are not dependent on interaction via the official interface. They can also interact directly with the API. An API Edge Gateway is therefore required.
Challenge #2: Authentication and Access Management
One of the most important issues when protecting Web resources is Access Control. Who can access which objects and when? There are standards such as OAuth 2.0, OpenID Connect or SAML for this purpose, but these are not included in the scope of delivery of a typical WAF. In order to answer the many "w" questions sensibly, the first thing you need is a suitable authentication solution to determine the identity of the users, who of course do not want to log in anew every time they access. A concept for comprehensive single sign-on on the web and API channel is therefore needed. Moreover, the identities we are talking about here are mostly heterogeneous and include a large number of "external" users, such as customers or partners.
So-called cIAM (Consumer IAM) systems offer their services here. They are optimized for large numbers of users and offer a good user experience through integrated UIs for user onboarding and self-services. The handling of Social Identities (BYOI) and a high flexibility in the authentication process (Adaptive Authentication) are crucial here.
Challenge #3: Micro Segmentation and DevOps
WAFs must reinvent themselves not only on the functional level. New challenges also arise regarding deployment forms. With the emergence of microservice architectures and DevOps, large centralized WAF installations are increasingly being questioned. The necessary coordination between application owners, WAF administrators, developers and the security team leads to loss of efficiency and frustration.
It would be better if these tasks could be segmented along the services to be protected. In concrete terms, DevOps teams would have to be able to take responsibility for their services holistically, i.e. including security, and from the first minute to production. In order for this to be possible at all, WAFs must be available as lightweight containers that can be flexibly strapped onto Kubernetes or OpenShift in front of individual services. In this model, the central security appliance guarantees basic security. Integration tasks and the development of security policies are performed close to the service by specialists with detailed knowledge of the services to be protected.
A vote for an integrated solution
A modern application security solution should be able to meet all these requirements.

read more



This action is part of the event IT Security Talks June 2021