KNOWLEDGE
HUB
Vo l u m e 3
Issue 10
Vo l u m e 3
Issue 10
KNOWLEDGE
HUB
Under the OSI model, Layer Seven rather the root-cause of security
puts security closest to the end-user problems. If organizations use only the
as a transaction begins and ends OSI model for their security program,
its journey. While the theory makes they risk building a wall around their
sense, the reality is this approach proverbial fortress, but leaving the
increasingly does not work. When front door unlocked.
the network packet leaves Layer
over and this source code is rife with Layer 8 – Oh, the
humanity!
vulnerabilities. While not official, Layer 8 (and
7 and enters the application, the
source code of the application takes
Various
network security sometimes 9 and 10) is often referred
have suggested to as the Human Layer. This is the
adding a Layer 8, 9, or even 10 on layer where people become part of
top of the existing OSI model. These the communication structure. This
terms are often used to emphasize layer has been used to reference
the importance of a strong “security points of failure that result from
culture” at the level of the individual people,
or the organization, as well as the need compliance
for compliance with all applicable negligence. While not intentional,
laws and regulations. Layer 8 could also include developers
professionals
12
when
Today’s threat
landscape is one
of sophisticated
attacks as well as
hyperconnected
infrastructure and
applications, this means
that the attack surface
has been expanded
well beyond the
network.
such
they
as
organizational
weaknesses
mistakenly
or
user
introduce
application vulnerabilities during the
development lifecycle.
Without official standards to govern
the human element of information
security,
once
data
leaves
the
network, it enters the wild west of
application code and business logic.
Many companies have traditionally
relied on network-based solutions,
like
web
applications
firewalls
(WAFs), to provide protection beyond
the network. But in order to protect
vulnerable application code, security
ultimately needs to be inside the
Since the OSI model only allows for
network-based
security
controls,
application code like open source
libraries, APIs, and business logic
are treated as security afterthoughts
CISO MAG | November 2019
application code itself.
This
is
solutions
where
can
runtime
security
automate
the
safeguarding of applications without
the need for human interaction. The
CISO MAG | November 2019
13