Case study

Global Financial Institution Improves Security and Operations Without Code Changes

The company

A global financial institution evaluated how Waratek’s virtualization based-Application Security Platform instantly and seamlessly modernizes, hardens, and protects mission critical web applications.

Two separate Java applications hosted on different versions of Java Virtual Machines were selected as the candidate applications for evaluation.

Under the test plan, Waratek was required to protect the full application stack, including 3rd party components as well as remediate legacy, current and new application security vulnerabilities. Waratek was also evaluated on other client criteria such as False Positive Rate (FPR), ease of installation, number of code changes required, compatibility and performance.

The challenge

Prior to the evaluation, Waratek did not have any visibility into known vulnerabilities in the two applications to be tested or if any known vulnerabilities were repeatedly exploitable.

To effectively demonstrate the capabilities of the technology, Waratek introduced deliberate vulnerabilities with the support of the client that corresponded to the following items on the SANS list of Most Dangerous Software Errors :

Vulnerability CWE SANS Ranking
Command Injection CWE-78 2
Cross Site Scripting (XSS) CWE-79 4
Unrestricted Uploads CWE-434 9
Path Traversal CWE-22 13
Use of Broken Crypto CWE-327 19
Open Redirect CWE-601 22
Deserialization of Untrusted Data CWE-502

The solution

The test applications run on significantly out of date Java 7 plat-forms dating back to 2013. There are currently hundreds of known critical vulnerabilities present in this version of Java. In April 2015, Oracle ended public support for the Java 7 platform.
Because Waratek did not have any visibility into known vulnerabilities in the two applications to be tested prior to the onsite trial, Waratek conducted a Nessus vulnerability scan against a similar system that revealed:

  • A total of 17 Nessus vulnerabilities, 13 of them ranked as critical
  • 387 distinct CVEs were identified
  • ALL CVEs had a CVSS score of 9.3 or 10

In both application instances, the Waratek agent (a .JAR file) was downloaded and easily installed. Upon restart, a virtual container encapsulated the full application stack, providing instant modernization of the Java 7 JRE to a Java 8 JRE – resulting in immediate protection against vulnerabilities in the significantly out of date and insecure Java platforms.
In addition, default security policy significantly minimized exposure relating to vulnerabilities in third-party libraries, meeting the Company’s test criteria.


Waratek’s unique approach to application security resulted in the remediation of years of vulnerabilities and the updating of an out-of-date Java JRE without changing a single line of code.
Performance overhead while in normal operating mode improved by nearly 7% and increased by less than 2.5% while under attack.
The application owners can expect to see an elimination of false positives. The company will also gain operational efficiencies from being able to live patch without shutting down the application – reducing patch times, costs and the risks associated with delays in patching.

The results

False positive reduction
Code changes required
Minute production deployment

Waratek's Security-as-Code platform not only found the cryptominer we had, but securely removed it within 48 hours, stopping us from having to rebuild our solution from scratch.

Related case studies

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.