The company
A large US-based company ($50 -$75B) recently evaluated how Waratek’s virtualization-based Application Security Platform can instantly and seamlessly modernize, harden, and protect a large, mission critical application used by thousands of customers. The target application was running on an “end-of-market” app server with an “out-of-support” Java Runtime Environment (JRE). The app server version was incompatible with the current Java 8 JRE, meaning an upgrade of the application would require a manual rewrite of the application and significantly increase the risk of breaking the application. No cost estimate for rewriting the application was shared with Waratek, but similar projects at other companies have been estimated to take 12-24 months and require millions of dollars to complete. A significant backlog of critical patch updates was discovered in a preliminary security and compliance assessment, indicating the Company had difficulty keeping pace with the volume of vulnerabilities discovered in third-party software components and the increasing cadence of patch updates. Further, Qualys/Nessus scans revealed:
- Up to 24 Qualys vulnerabilities recorded against the out-of-support JRE
- More than 300 MITRE CVE vulnerabilities recorded against the out-of-support JRE • An unknown number of CVEs related to imported app server JAR files Under the test parameters, Waratek was required to instantly remediate Severe, High and Medium Java vulnerabilities in the out-of-support JRE without source code changes; upgrade the out-of support JRE to Java 8 JRE without source code changes; generate minimal performance overhead.
The challenge
A large US-based company ($50 -$75B) recently evaluated how Waratek’s virtualization-based Application Security Platform can instantly and seamlessly modernize, harden, and protect a large, mission critical application used by thousands of customers. The target application was running on an “end-of-market” app server with an “out-of-support” Java Runtime Environment (JRE). The app server version was incompatible with the current Java 8 JRE, meaning an upgrade of the application would require a manual rewrite of the application and significantly increase the risk of breaking the application. No cost estimate for rewriting the application was shared with Waratek, but similar projects at other companies have been estimated to take 12-24 months and require millions of dollars to complete. A significant backlog of critical patch updates was discovered in a preliminary security and compliance assessment, indicating the Company had difficulty keeping pace with the volume of vulnerabilities discovered in third-party software components and the increasing cadence of patch updates. Further, Qualys/Nessus scans revealed:
- Up to 24 Qualys vulnerabilities recorded against the out-of-support JRE
- More than 300 MITRE CVE vulnerabilities recorded against the out-of-support JRE • An unknown number of CVEs related to imported app server JAR files Under the test parameters, Waratek was required to instantly remediate Severe, High and Medium Java vulnerabilities in the out-of-support JRE without source code changes; upgrade the out-of support JRE to Java 8 JRE without source code changes; generate minimal performance overhead.
The solution
After completing the preliminary security and compliance assessment of the application, the Waratek agent (a .JAR file) was downloaded and installed. Upon restart, a virtual container encapsulated the full application stack, providing instant modernization of the out-of-support JRE to a Java 8 JRE and instant protection from the Java-related vulnerabilities identified in the pre-scan.
Performance overhead was measured against a baseline without Waratek’s solution and reflected normal operation and operation under malicious attack. While under attack the performance, overhead increased by 2.4%.
However, under normal operating conditions, Waratek improved app performance by as much as 9% and improved the overall performance by 6.9% after lifting the out-of-support JRE to a more efficient Java 8 JRE.
Waratek remediated all the Severe, High and Medium CVEs identified in the pre-test assessment as required.
Results from Qualys Scan of the Host JRE | Before Waratek | After Waratek |
Total QID Vulnerabilities reported by Qualys (including kernel and OS packages) | 47 | 23 |
Total JVM Vulnerabilities by QID | 24 | 0 |
Total JVM Vulnerabilities by CVE | 337 | 0 |
Critical priority by QID (Severity 5) | 2 | 0 |
High priority by QID (Severity 4) | 4 | 0 |
Medium Priority by QID (Severity 2-3) | 7 | 0 |
- Post installation Qualys scan of the Host JRE did not reflect vulnerabilities in the Guest JRE. Waratek can virtually patch Guest JRE vulnerabilities, but that was outside the test parameters. Guest JRE virtual patches may require additional development time depending on system configuration and number of unapplied CPUs.
- Vulnerabilities remaining after Waratek deployment were non-Java CVEs outside the scope of the test.
- Some CVEs contained multiple vulnerabilities.
The results
- Months saved rewriting application
- 24
- CVEs resolved instantly with Security-as-Code immutability
- 300
- Performance increase after virtual upgrade
- 9%