CISO MAG - Free Issues Endpoint Security Powerlist | Page 12

KNOWLEDGE HUB Vo l u m e 3 Issue 10 Vo l u m e 3 Issue 10 KNOWLEDGE HUB Under the OSI model, Layer Seven rather the root-cause of security puts security closest to the end-user problems. If organizations use only the as a transaction begins and ends OSI model for their security program, its journey. While the theory makes they risk building a wall around their sense, the reality is this approach proverbial fortress, but leaving the increasingly does not work. When front door unlocked. the network packet leaves Layer over and this source code is rife with Layer 8 – Oh, the humanity! vulnerabilities. While not official, Layer 8 (and 7 and enters the application, the source code of the application takes Various network security sometimes 9 and 10) is often referred have suggested to as the Human Layer. This is the adding a Layer 8, 9, or even 10 on layer where people become part of top of the existing OSI model. These the communication structure. This terms are often used to emphasize layer has been used to reference the importance of a strong “security points of failure that result from culture” at the level of the individual people, or the organization, as well as the need compliance for compliance with all applicable negligence. While not intentional, laws and regulations. Layer 8 could also include developers professionals 12 when Today’s threat landscape is one of sophisticated attacks as well as hyperconnected infrastructure and applications, this means that the attack surface has been expanded well beyond the network. such they as organizational weaknesses mistakenly or user introduce application vulnerabilities during the development lifecycle. Without official standards to govern the human element of information security, once data leaves the network, it enters the wild west of application code and business logic. Many companies have traditionally relied on network-based solutions, like web applications firewalls (WAFs), to provide protection beyond the network. But in order to protect vulnerable application code, security ultimately needs to be inside the Since the OSI model only allows for network-based security controls, application code like open source libraries, APIs, and business logic are treated as security afterthoughts CISO MAG | November 2019 application code itself. This is solutions where can runtime security automate the safeguarding of applications without the need for human interaction. The CISO MAG | November 2019 13