Breaking Down the Walls Between Application and Infrastructure Security

Application and infrastructure security often reside in separate teams with different skill sets, leading to gaps. Unify responsibilities under common leadership, include both in penetration tests, incorporate application logs into SIEM, and build both disciplines into incident response plans.

I wrote earlier about the need to expand the focus of information security programs beyond infrastructure to incorporate application security components. It’s difficult to bridge these disciplines in part because the people responsible for applications and infrastructure often reside in different groups. Also, the security skills related to developing and maintaining applications differ from those related to systems and networks.

Here are my recommendations for breaking down the walls between application and infrastructure security:

Unify application and infrastructure security responsibilities under the leadership. If this is impractical in your organization, at least look for informal ways for the two teams to collaborate.
Include application and infrastructure components in your penetration testing projects. Attackers will probably look for both types of weaknesses when looking to penetrate your defenses; mimic this behavior when conducting your security assessments.
Include application logs as part of your log management or SIEM efforts. Incorporate security alerting and logging specs into your application development requirements to support this.
Understand the role that your critical applications play in supporting business objectives. This may involve learning more about your organization’s business and will involve reaching out to non-techie business owners.
Incorporate both application and infrastructure-related steps into your incident response plan. Too often, organizations focus on only one of these disciplines when preparing to deal with security incidents.
Understand which application and infrastructure components affect the sensitive data that flows through your organization. This knowledge will help you understand security dependencies, so you know where to focus protective efforts.

Without somehow bringing infrastructure and application security disciplines together, you will probably spend more money on security than necessary or will focus your funding on the wrong risks.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →