The company
A global financial institution evaluated how Waratek’s virtualization based-Application Security Platform instantly and seamlessly modernizes, hardens, and protects mission critical web applications.
Two separate Java applications hosted on different versions of Java Virtual Machines were selected as the candidate applications for evaluation.
Under the test plan, Waratek was required to protect the full application stack, including 3rd party components as well as remediate legacy, current and new application security vulnerabilities. Waratek was also evaluated on other client criteria such as False Positive Rate (FPR), ease of installation, number of code changes required, compatibility and performance.
The challenge
Prior to the evaluation, Waratek did not have any visibility into known vulnerabilities in the two applications to be tested or if any known vulnerabilities were repeatedly exploitable.
To effectively demonstrate the capabilities of the technology, Waratek introduced deliberate vulnerabilities with the support of the client that corresponded to the following items on the SANS list of Most Dangerous Software Errors :
| Vulnerability | CWE | SANS Ranking |
| Command Injection | CWE-78 | 2 |
| Cross Site Scripting (XSS) | CWE-79 | 4 |
| Unrestricted Uploads | CWE-434 | 9 |
| Path Traversal | CWE-22 | 13 |
| Use of Broken Crypto | CWE-327 | 19 |
| Open Redirect | CWE-601 | 22 |
| Deserialization of Untrusted Data | CWE-502 | – |
The solution
The test applications run on significantly out of date Java 7 plat-forms dating back to 2013. There are currently hundreds of known critical vulnerabilities present in this version of Java. In April 2015, Oracle ended public support for the Java 7 platform.
Because Waratek did not have any visibility into known vulnerabilities in the two applications to be tested prior to the onsite trial, Waratek conducted a Nessus vulnerability scan against a similar system that revealed:
- A total of 17 Nessus vulnerabilities, 13 of them ranked as critical
- 387 distinct CVEs were identified
- ALL CVEs had a CVSS score of 9.3 or 10
In both application instances, the Waratek agent (a .JAR file) was downloaded and easily installed. Upon restart, a virtual container encapsulated the full application stack, providing instant modernization of the Java 7 JRE to a Java 8 JRE – resulting in immediate protection against vulnerabilities in the significantly out of date and insecure Java platforms.
In addition, default security policy significantly minimized exposure relating to vulnerabilities in third-party libraries, meeting the Company’s test criteria.
Conclusion
Waratek’s unique approach to application security resulted in the remediation of years of vulnerabilities and the updating of an out-of-date Java JRE without changing a single line of code.
Performance overhead while in normal operating mode improved by nearly 7% and increased by less than 2.5% while under attack.
The application owners can expect to see an elimination of false positives. The company will also gain operational efficiencies from being able to live patch without shutting down the application – reducing patch times, costs and the risks associated with delays in patching.
The results
- False positive reduction
- 100%
- Code changes required
- 0
- Minute production deployment
- 30
