A large US-based company ($50 -$75B) recently evaluated how Waratek’s virtualization-based Application Security Platform can instantly and seamlessly modernize, harden, and protect a large, mission critical application used by thousands of customers. The target application was running on an “end-of-market” app server with an “out-of-support” Java Runtime Environment (JRE). The app server version was incompatible with the current Java 8 JRE, meaning an upgrade of the application would require a manual rewrite of the application and significantly increase the risk of breaking the application. No cost estimate for rewriting the application was shared with Waratek, but similar projects at other companies have been estimated to take 12-24 months and require millions of dollars to complete. A significant backlog of critical patch updates was discovered in a preliminary security and compliance assessment, indicating the Company had difficulty keeping pace with the volume of vulnerabilities discovered in third-party software components and the increasing cadence of patch updates. Further, Qualys/Nessus scans revealed:
- Up to 24 Qualys vulnerabilities recorded against the out-of-support JRE
- More than 300 MITRE CVE vulnerabilities recorded against the out-of-support JRE • An unknown number of CVEs related to imported app server JAR files Under the test parameters, Waratek was required to instantly remediate Severe, High and Medium Java vulnerabilities in the out-of-support JRE without source code changes; upgrade the out-of support JRE to Java 8 JRE without source code changes; generate minimal performance overhead.
After completing the preliminary security and compliance assessment of the application, the Waratek agent (a .JAR file) was downloaded and installed. Upon restart, a virtual container encapsulated the full application stack, providing instant modernization of the out-of-support JRE to a Java 8 JRE and instant protection from the Java-related vulnerabilities identified in the pre-scan.
Performance overhead was measured against a baseline without Waratek’s solution and reflected normal operation and operation under malicious attack. While under attack the performance, overhead increased by 2.4%.
However, under normal operating conditions, Waratek improved app performance by as much as 9% and improved the overall performance by 6.9% after lifting the out-of-support JRE to a more efficient Java 8 JRE.
Waratek remediated all the Severe, High and Medium CVEs identified in the pre-test assessment as required.
|Results from Qualys Scan of the Host JRE
|Total QID Vulnerabilities reported by Qualys (including kernel and OS packages)
|Total JVM Vulnerabilities by QID
|Total JVM Vulnerabilities by CVE
|Critical priority by QID (Severity 5)
|High priority by QID (Severity 4)
|Medium Priority by QID (Severity 2-3)
- Post installation Qualys scan of the Host JRE did not reflect vulnerabilities in the Guest JRE. Waratek can virtually patch Guest JRE vulnerabilities, but that was outside the test parameters. Guest JRE virtual patches may require additional development time depending on system configuration and number of unapplied CPUs.
- Vulnerabilities remaining after Waratek deployment were non-Java CVEs outside the scope of the test.
- Some CVEs contained multiple vulnerabilities.
The test results above demonstrate significant business benefits for the application owner:
- Instant Application Modernization Waratek’s patented virtualization technology instantly modernized (upgraded) the entire application stack, including the legacy app server, to the latest compliant Java 8 JRE without any source code changes.
- Live, Virtual Patching Security Policies and binary-equivalent virtual patches can be updated and applied without disrupting/restarting application operation and no manual intervention. This allows for instant patching which frees valuable staff and financial resources to be applied to higher value activities.
- Continuous Protection Waratek’s security controls provide continuous monitoring and protection for the 2013 OWASP Top Ten as well as other common vulnerabilities like those found in third party software components – Apache Struts 1, Apache Struts 2, Apache Commons, for example. Proprietary technology also allows for highly effective defenses against attacks such as Deserialization and Command Injections.
- Automatic Security Hardening Waratek’s built-in application hardening features, such as Default Impact Reduction Rules, Name-Space Layout Randomization (NSLR), and others, reduce or eliminate the CVE Severity Scores of known and unknown vulnerabilities that may be present anywhere in an application stack.
- Full Forensic Data Waratek provides real-time attack alerts to security teams and comprehensive data that guides development teams to vulnerable sections of code. The data is accessed via a customer’s SIEM or the Waratek Management Console. Our security logs are generated as an easily parseable delimited text format and includes stack traces corresponding with any security event we intercept.
Waratek’s unique approach to application security resulted in the remediation of years of vulnerabilities and the updating of an out-of-date Java JRE without changing a single line of code. Performance overhead while in normal operating mode improved by nearly 7% and increased by less than 2.5% while under attack. The application owners can expect to see an elimination of false positives. The company will also gain operational efficiencies from being able to live patch without shutting down the application – reducing patch times, costs and the risks associated with delays in patching.