With every passing second the cyber attacks are getting more and more complex, making it hard to detect. Most of the attacks are executed in a stealth mode, where most of the radars fail to detect these attacks. Surprisingly, the focus of hackers have changed from cracking down a website to cracking down of applications.
This calls for changing the vocabolary of Security and make them point to the root level of the infections. I understand, what ever it takes ,mit cannot go beyond OSI layers, then why not we start repersenting the security with OSI Model.
So now what we are talking about, is to secure the application layers and we call it as LAYER 7 Security. While we say it as Layer 7 Seurity, it is actually securing the appkication layers starting from SESSION to APPLICATION layers. Sounds interesting...right
On a fundamental ground, we are putting some security measures to prevent our applications to fall into the traps of application service worms. For an example, we use OUTLOOK as a mail client and also use the same application through internet. Logically this application simultaenously works on SMTP/25 and HTTP/80 ports and gives the same output. Now if we have to infect this application, we know that there is an open channel on which this application is working. This clears our first level of information gathering on creating a point of infection.
Funniest part is, we usually neglect the possibilities of application infection. We feel the application created is secured and will work smoothly in any conditions and what ever the problems would arise will be only from infrastructure hosting the application. That is the reason, we put all our efforts in securing our infrastructure leaving the application as it is.
OWASP talks heavily on securing the application against TOP 10 most affected vulnerailities. It gives us a fundamental guidelines to asses our application on all layers of security breaches, which might turn up to a threat in near future.
So what i am saying is , it is an application there cannot be any assumptions on the security posture of the application. One has to asses the application only to be sure it is not comprisable. Applications depend on infrastructure only for processing the data but how they do is entirely on the business or application logic embeded in them.