by Ramon Krikken | April 25, 2012 | Comments Off on The “Application Layer” – a Important Matter of Perspective
Security at the application-layer is getting ever more attention due to the large number of vulnerabilities that keep popping up in off-the-shelf and home-built software (although, in my opinion, it is still not getting enough attention). Aside from expanding security activities in the SDLC, we’re seeing calls for – amongst things – application monitoring. But what does “application” mean in these cases?
When I look at various application security efforts, though, it seems security coverage for the application platform (the middleware, if you will) and databases (or data repositories) is hit-or-miss. The same is true for infrastructure-focused security coverage. So whose responsibility is it? What bucket do these fall into? Consider that:
- Systems and network teams generally consider middleware and databases to be part of the application layer
- Application teams generally consider middleware and databases to be part of the infrastructure
And it is not just middleware and databases. Just ask IT teams who should, for example, own and manage a web application firewall. Or ask whether monitoring administrative users in business applications is an element of “privileged user monitoring.” The answers are certainly not always clear-cut.
I don’t have a perfect answer either – splitting the world into the tiniest of buckets isn’t necessarily helpful. But coarse-grained buckets with no agreement on what goes where isn’t either. Let’s just remember that differences in perspective must be acknowledged and dealt with, or control gaps will eventually form.
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.