Ever wonder what security professionals see as their main barrier to achieving a strong application security posture? We wondered that, too, so we asked them. As part of F5 Labs’ first annual Application Protection Report, F5, in conjunction with Ponemon Institute, surveyed security professionals on a slew of security-related topics. In answer to this particular question, 57% of respondents cited “lack of visibility into the application layer.” 

We’ve heard this repeatedly from customers and the InfoSec community—this is not new for any of us. In fact, one of our first F5 Labs articles was about app visibility. But, it’s a tricky problem to solve for several reasons.

First, apps today can be hosted anywhere—in the cloud, on premises, in a hosting facility, or any combination of these, which makes them far more challenging to keep track of than in the past. On average, the organizations we surveyed run 765 applications, but it’s not unheard of for mega corporations to run many thousands of applications. When we asked survey respondents how confident they are in their ability to keep track of these apps, 24% said they were only somewhat confident, and more than a third (38%) said they were not confident at all.

What makes the app visibility challenge even more daunting is the level of complexity in today’s apps. Web-based apps are large and contain many moving parts—dynamic web page generators, content distribution servers, databases, password files, HTTP services, data entry forms, shells, scripting languages, state tracking mechanisms, files and directories, domain name entries, encryption services—all connected over Internet service provider links. Like the applications themselves, these components can live in many different places: on premises in your data centers, hosted at a third-party facility, or in the cloud.

It’s Time to Adjust Our Thinking about Apps

To steal a line from a favorite ogre, “Apps are like onions—they have layers.” In fact, the application itself is the layers. An onion layer by itself would not be called an onion, but rather a piece of onion. All the layers need to be stacked together to form a complete onion, and the same is true of the components of an app.

We wanted an easy way to conceptualize all the interacting parts of an app and, at the same time, avoid confusion with the 7-layer OSI model, so we describe them as five distinct app tiers: