// PILLAR 04 OF 07 — DoD ZERO TRUST ARCHITECTURE

⚙️ APPLICATION & WORKLOAD

Applications are where users meet data — making them a high-value target at every layer. Zero Trust demands application-level authorization, secure development practices, and continuous workload integrity verification.

// Core Requirements — What Must Be Implemented

Application-layer authorization — identity-aware proxies validating identity and context for every request
API security — OAuth 2.0 / OIDC authentication, mTLS, rate limiting, input validation, and API gateway enforcement
DevSecOps integration — SAST, DAST, SCA tools embedded in CI/CD pipelines before deployment
Secure Software Supply Chain — SBOM generation, signed artifacts, verified dependencies, and provenance tracking
Container and workload isolation — runtime security, image scanning, and admission control for Kubernetes
Web Application Firewall (WAF) and API Gateway for perimeter application layer protection
Secrets management — zero hardcoded credentials, vault-based secret injection for all workloads
Application behavior monitoring — RASP and anomaly detection at runtime for unexpected behavior

// Operational Principle

Security cannot be an afterthought in software development. Network access to the server is not sufficient authorization. Every application must independently verify identity, context, and entitlement for every request — at runtime, every time.

// Hardware — Application Delivery

Hardware

F5 BIG-IP Application Delivery Controller

Hardware ADC providing SSL termination, WAF, and application-layer DDoS protection. Used in DoD data centers for mission-critical application delivery with ZT enforcement.

F5 Networks

Hardware

Citrix ADC (NetScaler) Hardware Appliance

Application delivery hardware with integrated WAF, identity-aware proxy, and SSO capabilities for enterprise application ZT enforcement.

Citrix

// Software, Platforms & Cloud Services

Software / Platform

Akamai App & API Protector (WAF/API GW)

Cloud WAF and API gateway providing OWASP Top 10 protection, bot management, and API security at the edge. DoD-authorized CDN and security provider.

Akamai

Software / Platform

Kong Enterprise (API Gateway)

Enterprise API gateway for authentication enforcement, rate limiting, and traffic management across microservice architectures and DoD API ecosystems.

Kong

Software / Platform

HashiCorp Vault (Secrets Management)

Industry-standard secrets management platform. Dynamic secrets, PKI management, and credential rotation. Used across DoD contractor environments for zero-standing-credentials.

HashiCorp

Software / Platform

Aqua Security (Container/Cloud-Native)

Container and cloud-native workload protection platform providing image scanning, runtime security, Kubernetes admission control, and supply chain security.

Aqua Security

Software / Platform

Prisma Cloud by Palo Alto (CNAPP)

Cloud-Native Application Protection Platform combining CSPM, CWPP, CIEM, and CI/CD pipeline security. Comprehensive application security from code to cloud.

Palo Alto Networks

Software / Platform

Veracode (SAST/DAST/SCA)

Application security testing platform integrated into CI/CD pipelines. SAST, DAST, and SCA scanning meeting DoD software assurance requirements.

Veracode

Software / Platform

Snyk (Developer Security Platform)

Developer-first application security scanning for open-source vulnerabilities, container images, and IaC security. Integrates with GitHub, GitLab, and DoD DevSecOps platforms.

Snyk

Software / Platform

Red Hat OpenShift (Secure Container Platform)

Enterprise Kubernetes platform with built-in security controls, SELinux enforcement, and DoD STIG-compliant configuration profiles for secure container workloads.

Red Hat

// Standards, Frameworks & Compliance Alignment

WAFAkamai / F5 BIG-IP

API SecurityOAuth 2.0 / mTLS

SecretsHashiCorp Vault

ContainersAqua / Prisma Cloud

StandardNIST SSDF / DoD DSO

DoD Compliance Note: All hardware and software solutions referenced on this page must be evaluated against the DISA Approved Products List (APL) or obtain an Authority to Operate (ATO) through RMF before deployment in DoD environments. FIPS 140-2 or 140-3 validated cryptographic modules are required for any solution handling classified or CUI data. Solutions referencing DoD environments have been noted where DISA APL listings exist as of this publication.

// ZTNSS Assessment for This Pillar

John’s Zero Trust Readiness Assessment evaluates your Application & Workload Pillar maturity against all applicable DoD ZT Target Level activities using structured, evidence-based scoring methodology. The assessment identifies specific capability gaps, maps them to DoD activity numbers, and produces a sequenced remediation roadmap prioritized by risk exposure and operational impact.

John’s 24-year operational background at USSOCOM and SOCCENT means this assessment is grounded in environments where the adversaries are nation-state level, the stakes are operational, and compliance checkboxes are not a substitute for actual security.

← Pillar 03 — Network Pillar 05 — Data →

[ Assess your Application & Workload Pillar maturity against DoD Target Level ]

GET YOUR ZT READINESS SCORE.

30 minutes. Mission-first guidance from someone who built and defended these architectures at USSOCOM.

Book Strategy Call → ← All Seven Pillars