The need for Layer 8: Why the OSI model isn’t enough for application security
The OSI (Open Systems Interconnection) networking model separates communication into seven layers: physical, data link, network, transport, session, presentation, and application. Does the OSI model need a revision? Security professionals discuss the possibility of adding more layers onto the OSI model for better protection and defense against security threats.
For the modern business, application security is an essential concern. Every company uses a variety of web, software, and mobile applications in order to serve customers and execute internal functions.
Unfortunately, far too many of these applications are subject to critical vulnerabilities as a result of insecure coding practices, flaws in third-party libraries, and changes in the cybersecurity threat landscape.
Current solutions for keeping applications secure have been developed by the network engineering community, not the application engineering community itself. In fact, far too many companies have little or no application security at all—deciding to protect their network perimeter instead. But what happens when this perimeter is breached?
The evolution of application security solutions has largely been tied to the different layers of the OSI networking model. However, while it’s a valuable framework for understanding networking architecture, the OSI model leaves something to be desired when it comes to application security.
We want to rethink this relationship. In this article, we’ll put forth the argument that the OSI model needs to be revised in order to better reflect the realities of application security as the field stands today.
The OSI networking model
The OSI (Open Systems Interconnection) networking model describes how applications exchange information over a network by separating these communications into seven different “layers.” According to the OSI model, the seven layers of networking are:
- Physical layer: This layer deals with the transmission of electrical signals across different physical devices.
- Data link layer: This layer handles the encoding, decoding, and logical organization of bits into data packets.
- Network layer: This layer moves data throughout the network by selecting the appropriate route and forwarding the data.
- Transport layer: This layer defines the protocols and port numbers that hosts on the network use to communicate.
- Session layer: This layer manages the connection between different systems (known as a session).
- Presentation layer: This layer translates data between the application and the network, performing functions such as encryption, compression, and string conversion.
- Application layer: This layer specifies how users interact with the data on the network through the form of interfaces and protocols.
The standard OSI networking model ends at Layer 7, the application layer. When the network packet leaves Layer 7 and enters the application, the source code of the application takes over.
Various network security professionals have suggested adding a Layer 8, 9, or even 10 on top of the existing OSI model. These terms are often used to emphasize the importance of a strong “security culture” at the level of the individual or the organization, as well as the need for compliance with all applicable laws and regulations.
However, none of these proposals have been formally adopted as part of the OSI model. As a result of this level cap, the network engineering community has no more room to innovate when it comes to application security.
The need for Level 8 RASP tools
If network engineers fail to address application security in the OSI model, then application security professionals need to step up to the plate. It’s time for the application engineering community to innovate the next generation of AppSec solutions.
To protect your enterprise applications, security must be built into every potential access point —including the application itself. A growing number of security engineers are working on runtime application self-protection (RASP) for enterprise software, but early projects soured many to RASP as results in the early days showed a significant decrease in overall app performance.
RASP is a technology with a funny name but a concept that makes intuitive sense. The purpose of a RASP solution is to run alongside the execution of an application, detecting potential vulnerabilities and attacks in real time.
By offering this real-time protection, RASP is capable of defending against threats to the entire application stack: business logic, open-source libraries, third-party frameworks, and even the operating system itself. Traditional application security, like the web application firewall, can detect real-time attacks, but blocking them is where it gets tricky. When signatures and pattern matching are the method of protection, there is a trade-off between the risk of blocking legitimate traffic or the result of having to manage a flood of erroneous alerts.
While there may not be a Level 8 in the OSI model yet, security engineers can and should move proactively to protect their enterprise applications—the last and most important line of defense between users and the cybersecurity threats that they face on a daily basis.