Companies innovate through applications to reach new customers and markets with greater speed. This blog discusses what applications were, how applications have evolved, and why Application Security Posture Management (ASPM) is a must-have for organizations that run modern apps in the cloud.
What was an Application?
Before we get into modern applications, let’s take a step back to consider what applications used to be. In the web 1.0 era, applications were monolithic, with three basic tiers (web, app, and a single database). It was relatively easy to define an application, its subcomponents, and map out its architecture. Monolithic applications were common 20 years ago (although many still exist today). There are some advantages to monolithic architectures. For instance, monolithic applications are less complex to develop and have more straightforward deployment.
Here’s a simple example of a monolithic application architecture:
Monolithic applications grow over time and become more difficult to manage. And while deployment is more straightforward, it’s necessary to redeploy the entire application to incorporate any change.
So, What is an Application?
It depends on who’s asking. Let’s consider a few perspectives through which teams and practitioners define applications.
The Infrastructure Definition
Long story short? It’s a bunch of servers.
This perspective focuses on the servers and networks the application components run on. For example, which EC2 instances, VPC networks, and cloud services are being used? In addition, how do these components talk over the network, what is the protocol and port they use?
The VM or Container Definition
Similar to the infrastructure definition, it’s just a bunch of virtual servers.
Another way to define an application is to aggregate all the VMs or containers that relate to a specific application in a specific environment. VMs or containers are basically logical wrappers around workloads that include all system and application run-time dependencies like libraries, processes, config, and binaries.
The Software Definition
Applications can be divided into two main categories — commercial off-the-shelf (COTS) and custom. COTS are generic applications (e.g. Salesforce, SAP, Oracle apps) that allow users to perform standard tasks. Custom applications, on the other hand, are tailor-made for users or customers to perform highly specific tasks related to a specific business or market need.
Modern Apps and Microservices
Today’s applications are different – broken down and distributed across multi-cloud, containerized, and serverless technologies. Applications made up of smaller, independent services that each perform one specific function and work together have what’s called a microservice architecture. A key difference between monolithic and microservice architectures is that each microservice has its own set of APIs, its own database, and can operate independently at scale.
Because a microservice is independent, it can be updated and deployed across multiple cloud regions, availability zones, and even reused across many applications. However, more microservices mean more things to manage, more fragmentation, and more single points of failure. Microservices can be internal, external, and exposed via APIs, all of which become part of the application definition.
Basically, anything code references in order to function and execute successfully is a dependency and part of the application definition. Applications are not about infrastructure or networks, they are about business logic, and enabling users or customers to perform a task.
Here’s a visualization of what a microservice architecture looks like:
Even with some chaos, there are advantages to microservice architectures.
- Focused. Each microservice should have only one function. This can help teams “divide and conquer” by focusing on a specific service instead of an entire application.
- Flexible. Each microservice has a boundary, so developers can use different programming languages, technology, and infrastructure to suit their needs and preferences.
- Scalable. Because microservices are developed, deployed, and managed independently, it’s possible to add a microservice to an application without having to redeploy the entire application.
- Resilient. The ability to deploy a microservice independently also works in reverse. If there is an issue within a microservice that causes an application to fail, the microservice can easily be rolled back to avoid costly downtime.
Microservices + CI/CD = F***in’ Chaos!
Organizations that use microservice architectures tend to operate with agility through DevOps and continuous integration/continuous delivery (CI/CD). With teams developing and deploying updates to microservices through CI/CD, modern applications change frequently. According to Google’s 2021 State of DevOps Report, out of 32,000 survey participants, 26% deploy code multiple times per day, with an additional 40% deploying daily or weekly.
From a developer and customer perspective, more updates often mean more value. But from a security and business perspective, more updates mean more risk. The code changes, service dependencies shift, and application architecture has the potential to drift with each update. These are the risks that accompany the benefits of quicker and continuous development and integration.
An application in 2022 embraces the distributed, scalable, resilient nature of microservice architectures and thrives in a fast-moving DevOps environment. An application in 2022 is defined by each microservice, dependency, and data flow that exists at a specific point in time. An application in 2022 changes constantly.
Why Modern Cloud Apps Need ASPM
Organizations must understand how each CI/CD pipeline and change affects their business and application security posture. With distributed teams using different technologies, cloud service providers, and programming languages, it’s difficult to keep track of the changes to each microservice, function, dependency, and data flow, let alone understand how those changes create risk to the business.
ASPM provides complete application architecture discovery with detailed mapping and complete visibility into all services, functions, APIs, libraries, data flows, and third-party dependencies.
ASPM is the only way to get an accurate system of record of applications in production. By gaining control over the distributed chaos of modern applications, organizations can baseline their application security posture to find, measure, and report on the changes that create real risks as they emerge in real-time.
To learn more about ASPM and its benefits to modern applications, check out this ebook, What is ASPM: Secure Cloud-Native Applications At Scale.