By Garrett Enochs
The last words you want to hear following the latest application deployment, which hosts the company’s most important intellectual property. The Security Analyst storms in the room and shouts, ‘Our Database is showing!’ A slightly skipped heartbeat, a gasp for air, we have all been there before. Maybe it happened once; maybe several times, but we can all relate. These are not the moments we live for, and some would say all effort being put forth is to prevent this scenario from ever occurring. There are many moving pieces to an application, and plenty of tools out there to keep each one of those moving pieces protected.
Most companies check the box for adding the typical perimeter security tools. Some of the most important include: Wireless Application Firewall (WAF), routine security assessments, Endpoint Detection and Protection Agents on every server, SIEM tools to monitor all logging of incoming and outgoing traffic to and from the applications over the wire, and many more. You can add a few more pieces to the defense in depth strategy by tacking on Software Composition Analysis (SCA), where code is scanned before moving to production, DAST/SAST/IAST scanners to find vulnerabilities and patching systems to remediate said vulnerabilities. There is another layer, often missed, sitting directly on the application, that runs as part of the application, existing only in the runtime. This occurs amidst the application’s binary execution, adding negligible overhead and bandwidth. This is related to a Runtime Application Self-Protection, or RASP, and this is where Waratek fills in the gap often missed by Security Professionals.
Waratek adds that additional layer to protect the most critical applications and data. The main focus of an attacker is to find their way into the application and ultimately into the database to harvest as much data as possible. They can do this using a variety of means However, today we will be looking at some of the most common and most frequently used attacks, and how Waratek’s Runtime Code Protection patented technology can protect against them.
Let’s Look at an Example…
For this scenario, we have a few instances running JAVA 7. There is also a SQL Database attached to this application storing user details including PII, SSN#, Credit Card numbers, billing address, and more. The Application Security team in charge of maintenance have done everything possible to protect their application. Scanning prior to deployment with an SCA tool, running a DAST scan to ensure all possible vulnerabilities are patched, configure the WAF with certain rules and policies, and configure logging to the SIEM with custom alerts. Unfortunately, despite all of this effort, a vulnerability has slipped through the cracks. Now that the application is up and running, customers and users alike are going about their business, logging in, adding information, checking point balances.
But someone else had a different plan that day. An attacker delivered a payload in the form of a SQLi attack (a SQL Injection attack) against the database. Despite all the layers of defense in play here, the attacker found a bypass for the WAF. Meanwhile, the SIEM tool was overloaded with alerts causing several misses, and bad code was pushed to production. Once the attack was discovered, the team implemented the Waratek agent to this application, enabling the appropriate ruleset to defend against SQL injection attacks. Once the agent came online, the rules were applied, and the attacks were blocked.
Waratek Can Help
Top tier companies are only as secure as their weakest link. And at the end of the day, the application standing in front of the database, critical PII, and the reputation of the company become the main target for attackers. People make mistakes, and attackers take advantage of humans’ inherent flaws. This fuels the fire for adding additional layers to the defense of the application in the form of a wrapper-like tool that monitors the traffic as it travels through the application, and if at any point during the transaction, the untrusted data becomes exploitable, Waratek will remove the exploitable code in memory, effectively recompiling the correct code during execution.
Who is involved in keeping applications and the databases protected? Typically it depends on the size of the organization. But can range from one individual, to a team of developers, engineers and analysts. This tool can be administered by a small team — even one individual — as SaaS portal allows for the ability to scale.
Waratek frees up the development team as well as the security team by allowing time for the developers to fix their underlying code vulnerabilities, and enabling the security team to remediate those vulnerabilities with one-hundred percent accuracy and negligible false positives, and under five percent overhead to performance. This technology can be applied through Declarative and Imperative policy rules allowing for an immutable approach that can supersede future code changes as well as zero-days.
Sound exciting? Need application security for JAVA based applications running a JVM? Contact someone at Waratek here where we set up a Proof of Value — all that’s required is the internet, an agent, and an application. We look forward to working with you.