Building up security

The need for Layer 8: Why the OSI model isn’t enough for application security

John Adams
OSI model
© Shutterstock / gonin

The OSI (Open Systems Interconnection) networking model separates communication into seven layers: physical, data link, network, transport, session, presentation, and application. Does the OSI model need a revision? Security professionals discuss the possibility of adding more layers onto the OSI model for better protection and defense against security threats.

For the modern business, application security is an essential concern. Every company uses a variety of web, software, and mobile applications in order to serve customers and execute internal functions.

Unfortunately, far too many of these applications are subject to critical vulnerabilities as a result of insecure coding practices, flaws in third-party libraries, and changes in the cybersecurity threat landscape.

Current solutions for keeping applications secure have been developed by the network engineering community, not the application engineering community itself. In fact, far too many companies have little or no application security at all—deciding to protect their network perimeter instead. But what happens when this perimeter is breached?

The evolution of application security solutions has largely been tied to the different layers of the OSI networking model. However, while it’s a valuable framework for understanding networking architecture, the OSI model leaves something to be desired when it comes to application security.

We want to rethink this relationship. In this article, we’ll put forth the argument that the OSI model needs to be revised in order to better reflect the realities of application security as the field stands today.

The OSI networking model

The OSI (Open Systems Interconnection) networking model describes how applications exchange information over a network by separating these communications into seven different “layers.” According to the OSI model, the seven layers of networking are:

  1. Physical layer: This layer deals with the transmission of electrical signals across different physical devices.
  2. Data link layer: This layer handles the encoding, decoding, and logical organization of bits into data packets.
  3. Network layer: This layer moves data throughout the network by selecting the appropriate route and forwarding the data.
  4. Transport layer: This layer defines the protocols and port numbers that hosts on the network use to communicate.
  5. Session layer: This layer manages the connection between different systems (known as a session).
  6. Presentation layer: This layer translates data between the application and the network, performing functions such as encryption, compression, and string conversion.
  7. Application layer: This layer specifies how users interact with the data on the network through the form of interfaces and protocols.

The standard OSI networking model ends at Layer 7, the application layer. When the network packet leaves Layer 7 and enters the application, the source code of the application takes over.

SEE ALSO: The changing role of the enterprise architect – interview with Ravi Mayuram

Various network security professionals have suggested adding a Layer 8, 9, or even 10 on top of the existing OSI model. These terms are often used to emphasize the importance of a strong “security culture” at the level of the individual or the organization, as well as the need for compliance with all applicable laws and regulations.

However, none of these proposals have been formally adopted as part of the OSI model. As a result of this level cap, the network engineering community has no more room to innovate when it comes to application security.

The need for Level 8 RASP tools

If network engineers fail to address application security in the OSI model, then application security professionals need to step up to the plate. It’s time for the application engineering community to innovate the next generation of AppSec solutions.

To protect your enterprise applications, security must be built into every potential access point —including the application itself. A growing number of security engineers are working on runtime application self-protection (RASP) for enterprise software, but early projects soured many to RASP as results in the early days showed a significant decrease in overall app performance.

RASP is a technology with a funny name but a concept that makes intuitive sense. The purpose of a RASP solution is to run alongside the execution of an application, detecting potential vulnerabilities and attacks in real time.

SEE ALSO: Voice Assistants: “Privacy has to be built into the foundations of our services”

By offering this real-time protection, RASP is capable of defending against threats to the entire application stack: business logic, open-source libraries, third-party frameworks, and even the operating system itself. Traditional application security, like the web application firewall, can detect real-time attacks, but blocking them is where it gets tricky. When signatures and pattern matching are the method of protection, there is a trade-off between the risk of blocking legitimate traffic or the result of having to manage a flood of erroneous alerts.

While there may not be a Level 8 in the OSI model yet, security engineers can and should move proactively to protect their enterprise applications—the last and most important line of defense between users and the cybersecurity threats that they face on a daily basis.

OSI model

John Adams

John Adams is chief executive officer of Waratek. As CEO, John has complete responsibility for developing markets and operating all aspects of the organization’s global business. John has a rich history in security and medical technology with his experience spanning more than two decades. Prior to Waratek, John served as president & COO of SecurAmerica, leading the company’s expansion into nearly three-dozen new geographic markets and growing the company from 5 employees to over 5,000. In his career, John has also served as SVP N. America for London-based G4S (formerly Securicor) and held senior executive positions at US Surgical Corporation and Medline Industries. John holds an MBA in Healthcare Administration from Webster University and a BS in Business Administration/Accounting from Florida Southern College.

Inline Feedbacks
View all comments