Share

Waratek virtualization based-Application Security Platform delpoyed full application stack protection and updated legacy Java applications for improved security.

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing

Background

A global financial institution evaluated how Waratek’s virtualization based-Application Security Platform instantly and seamlessly modernizes, hardens, and protects mission critical web applications.

Two separate Java applications hosted on different versions of Java Virtual Machines were selected as the candidate applications for evaluation.

Under the test plan, Waratek was required to protect the full application stack, including 3rd party components as well as remediate legacy, current and new application security vulnerabilities. Waratek was also evaluated on other client criteria such as False Positive Rate (FPR), ease of installation, number of code changes required, compatibility and performance.

“IMPLEMENTING WARATEK WILL GIVE US A THREE-YEAR BREATHING SPACE TO CATCH UP ON APPLICATION DEVELOPMENT.”

 

Test Results

For both applications, Waratek achieved the following results:

  • Simple, fast deployment in less than 30 minutes
  • All security tests: Passed
  • Active security controls: Protected against future threats (0-day) in all layers of application stack
  • Legacy applications: Transparently updated to Java 8 without code changes
  • Internal performance result: Passed
  • All functional tests: Passed
  • False Positive Rate: 0
  • Code Changes Required: 0

Full Application Stack Protection

Prior to the evaluation, Waratek did not have any visibility into known vulnerabilities in the two applications to be tested or if any known vulnerabilities were repeatedly exploitable.

To effectively demonstrate the capabilities of the technology, Waratek introduced deliberate vulnerabilities with the support of the client that corresponded to the following items on the SANS list of Most Dangerous Software Errors :

Vulnerability CWE SANS Ranking
Command Injection CWE-78 2
Cross Site Scripting (XSS) CWE-79 4
Unrestricted Uploads CWE-434 9
Path Traversal CWE-22 13
Use of Broken Crypto CWE-327 19
Open Redirect CWE-601 22
Deserialization of Untrusted Data CWE-502

In each case, Waratek successfully intercepted and prevented attempts to exploit the test vulnerabilities.

 

Legacy Java Remediation

The test applications run on significantly out of date Java 7 plat-forms dating back to 2013. There are currently hundreds of known critical vulnerabilities present in this version of Java. In April 2015, Oracle ended public support for the Java 7 platform.
Because Waratek did not have any visibility into known vulnerabilities in the two applications to be tested prior to the onsite trial, Waratek conducted a Nessus vulnerability scan against a similar system that revealed:

  • A total of 17 Nessus vulnerabilities, 13 of them ranked as critical
  • 387 distinct CVEs were identified
  • ALL CVEs had a CVSS score of 9.3 or 10

In both application instances, the Waratek agent (a .JAR file) was downloaded and easily installed. Upon restart, a virtual container encapsulated the full application stack, providing instant modernization of the Java 7 JRE to a Java 8 JRE – resulting in immediate protection against vulnerabilities in the significantly out of date and insecure Java platforms.
In addition, default security policy significantly minimized exposure relating to vulnerabilities in third-party libraries, meeting the Company’s test criteria.

Conclusion

Waratek’s unique approach to application security resulted in the remediation of years of vulnerabilities and the updating of an out-of-date Java JRE without changing a single line of code.
Performance overhead while in normal operating mode improved by nearly 7% and increased by less than 2.5% while under attack.
The application owners can expect to see an elimination of false positives. The company will also gain operational efficiencies from being able to live patch without shutting down the application – reducing patch times, costs and the risks associated with delays in patching.

Benefits

Waratek demonstrated five principal benefits during the evaluation of the test applications:

  1. Instant Application Modernization
    The test applications were transformed into Java 8 applications by virtualizing the legacy Java 7 JRE inside a Java Runtime Container on top of an up-to-date Java 8 JVM. Security policy was then applied to minimise the attack surface of the applications. At the conclusion of the test, the client remarked: “Implementing Waratek will give us a three-year breathing space to catch up on application development.”
  2. Live, Virtual Patching
    Security policies and binary-equivalent virtual patches can be updated and applied without disrupting/restarting application operation and no manual intervention. This allows for instant patching which frees valuable staff and financial resources to be applied to higher value activities. The Company estimates they will realize approximately $2.5M USD in savings from virtual patching, legacy application remediation and risk reduction.
  3. Continuous Protection
    Waratek’s security controls provide continuous monitoring and protection for the 2013 OWASP Top Ten as well as other common vulnerabilities like those found in third party software components – Apache Struts 1, Apache Struts 2, Apache Commons, for example.
  4. Automatic Security Hardening
    Waratek’s built-in application hardening features, such as Default Impact Reduction Rules, Name-Space Layout Randomization (NSLR), and others reduce or eliminate the CVE Severity Scores of known and unknown vulnerabilities that may be present anywhere in an application stack.
  5. Full Forensic Data
    Waratek provides real-time attack alerts to security teams and comprehensive data that guides development teams to vulnerable sections of code. The data is accessed via a customer’s SIEM or the Waratek Management Console. Our security logs are generated as an easily parseable delimited text format and include stack traces corresponding with any security event we intercept.