This expectation is perfectly reasonable…and completely off-base. Keep reading for a primer on the OSI model, what it means for security, and why you absolutely cannot neglect your application layer security (layer 7).
The seven layers, explained
There are comprehensive guides to the OSI model available, but for the sake of highlighting the importance of securing each layer – especially the application layer – the following is a brief guide to what each of the seven layers encompasses.
Layer 1: Physical
The physical layer is the physical and electrical aspects of how the devices in a network are connected in order to send and receive information. This can include cat-5 cables, copper wires, fiber optic cables and so on. The physical layer primarily deals with raw data, but this is also the layer at which the encoding of bits occurs. A physical layer problem – such as a cable being unplugged – has the potential to impact all seven layers of the model, perhaps even rendering the network unusable.
Layer 2: Data Link
The data link layer provides links between directly connected nodes in order to provide node to node transfer. This is where a network’s switches operate, receiving data then processing and forwarding that data to the connected destination device. When the data link layer malfunctions, it often impedes the network layer (layer 3).
Layer 3: Network
The network layer deals with routers as well as with TCP/IP protocol. It is responsible for transferring datagrams from a source to a destination host through one or more networks. Unlike the data link frames being transferred in the data link layer, the datagrams being transferred in the network layer can cross local network boundaries. Vulnerabilities in the network layer that allow for actions such as IP address spoofing can have major implications for application security.
Layer 4: Transport
The transport layer is responsible for the complete delivery of the data being sent to the destination host. So while the network layer gets data on its way, the transport layer is actually responsible for making sure it gets where it's going correctly. Using TCP/UDP the transport layer determines issues like the size of the data packets being sent and how long the source should wait for an acknowledgement that the data was received.
Layer 5: Session
The session layer is responsible for controlling the connections/communications between computers. This includes opening the connection, managing it and then closing it when necessary, establishing checkpoint, adjournment, terminations as well as restart procedures. Weak authentication methods as well as vulnerabilities to brute force attacks can cause major issues for the session layer (and other connected layers as a result).
Layer 6: Presentation
The presentation layer essentially serves as the data translator for the network, formatting and delivering information to the application layer (layer 7) so it can be displayed to the end user. It is also responsible for the opposite function, organizing data transferred from the application layer so it can be handled by the network. Because of its proximity to, and direct interaction with the application layer, the presentation layer has to have excellent security when it comes to handling malicious input.
Layer 7: Application
The application layer is essentially the application – the user interface and other key functions. It interacts with both the end user and the OSI model to send information back and forth. The fact that it is the layer that the end user interacts with is what makes application layer security so essential.
The inherent threat of the application layer
The application layer is basically the gateway to the entire OSI model, in other words the entire network. This layer provides legitimate users with the ability to interact with the network. However, it also provides would-be hackers with the ability to interact with the network. Unlike hacking attempts that delve deeper into the OSI model and require more advanced privileges, hackers with low privileges are able to attempt to exploit application layer vulnerabilities. This can include cross site scripting, SQL injection and other OWASP Top 10 vulnerabilities.
The security you need
From ensuring your cables don’t get cut or unplugged in the physical layer to protecting against SQL injection on the application layer, every layer of the OSI model needs its own attention to security. And because of that interaction with users, the application layer requires a much bigger emphasis on security than it has traditionally received.
A web-application firewall goes a good way towards securing your application layer when your application is fully developed and in use. Pen testing and dynamic application security testing are also effective tools for your application once it has been built. But in order to have the most effective security for your application, you need to be able to test for vulnerabilities, dead code and other issues while that application is being developed. That’s where static code analysis comes in.
As security organization Checkmarx points out, for effective application layer security, static code analysis is a security solution that can be seamlessly integrated into the developer environment. It makes application layer security a component of the daily development schedule, allowing developers to receive nearly real-time scan results and fix vulnerabilities (as well as coding problems and other issues) as the application is being developed. Not only does this help create a secure software development life cycle, but it also saves untold time and effort by identifying problems as they appear instead of after a build is complete.
Finding out that you need security for every individual layer of the OSI model doesn’t quite qualify as good news right off the bat. However, that attention to the full spectrum of security requirements will certainly help prevent bad news. Just imagine the disappointment and devastation you would feel if you expected that your network was protected by catch-all security solutions only to find out your organization has suffered a critical data breach.