Everyone knows applications are the lifeblood of the enterprise, but as the threats multiply and come at an ever-faster rate, protecting those applications becomes a massive challenge. Layer in the issues associated with moving applications to the cloud, using open source code, implementing rapid release cycles, and being forced to use legacy apps when the development team is long gone, and it's easy to see that application security can be a thankless, endless job.
Layered security, or defense-in-depth, is an admirable goal. The problem is, how do you achieve it? We've been on the front lines for years, finding what works and what doesn't. In the process we have distilled five best practices that will help enterprises of any size tackle the thorny problem of application security in a dynamic world where change is the only constant.
A combination of defenses at the edge, in the network and inside the applications themselves forms the core of the best practices. Layered on top are two additional practices that make all the difference: full real-time visibility with analytics, to help beleaguered security analysts quickly distinguish real threats from noise and take action based on full context; and a consumption model that allow the enterprise to quickly, easily and cost-effectively move protections to where they will do the most good. The result? Vastly improved application security, effective remediation, and a DevSecOps model that works.
Greg Wolford, Solutions Architect, Imperva