The best practice for implementing Application Security is accomplished by deploying a Service Gateway at the network edge as the first point of contact or proxy into enterprise infrastructure handling layer 7 protocols such as web, XML SOAP, REST, or legacy protocols such as EDI. As Enterprises embrace the mobile era they are confronted with a further widening of the attack surface area that needs to be addressed for application security. The concept of application security must take on a new meaning and definition to address both web-based and native mobile-based applications served from the Enterprise datacenter. Each new web application or API is a hole in the enterprise security perimeter increases exposure to threats and vulnerabilities such as code injection, denial of service, unauthorized access, and information leakage.
The traditional solution for application security involves new code development in the form of static validation, code reviews, form-based input validation, and the use of coded-in security SDKs. Coded in security slows the pace of application changes. As an application security architect, it's hard to manage changing security policies once the policies are bound to your applications in code.
Hybrid Enterprise also creates its own set of challenges for Application Security Infrastructure, right from the plan & design phase, through deployment & staging and in regards to security & data protection.
For application security today, the recommended solution is to approach security as its own dedicated layer. In other words, in addition to the traditional 3-tier architecture of presentation, domain and data, we add a fourth layer, the application security layer. If you are writing a 2-tier native mobile application the security layer sits in front of the API gateway and data tier. Similar to TCP/IP, channels of communication from the security layer downward are trusted.
In this architecture the Intel® Expressway Service gateway provides the full breadth of trust and threat functions for API and web services communication, removing the burden from the application developer.
The security layer that handles the following application firewall functions:
Single point of authentication and perimeter defense for mobile app security
Single point of audit and enforcement for app security policies
Message scanning for malicious content
Enterprise grade AAA with support for IBM, CA, Oracle, Microsoft
Data anonymization for PCI and PII compliance, adding additional app security in case a device is lost or stolen