Case study

Financial Services Company Remove Vulnerabilities for PCI Compliance

The company

US Fortune 100 Company sought Waratek’s virtualization technology to remove vulnerabilities as detected by PCI frame-works.

The following test case was executed against a Java application running on the server estate of a US Fortune 100 financial services company. The goal of the test case was to demonstrate how Waratek, through its virtualization technology, removes vulnerabilities as detected by PCI frame-works. Qualys was used as the PCI audit tool.

The challenge

The following test case was executed against a Java application running on the server estate of a US Fortune 100 financial services company. The goal of the test case was to demonstrate how Waratek, through its virtualization technology, removes vulnerabilities as detected by PCI frame-works. Qualys was used as the PCI audit tool.

The Company had a considerable issue with legacy Java and, as a result, consistently failed to meet the requirement of the PCI standards council.

For this test, a legacy Java 6 application was identified as the test candidate. Prior to Waratek’s on-premise deployment, Waratek created a reference environment based on the exact Java and Tomcat versions and their recorded configurations to mirror the target application system to be upgraded. Actual Waratek installation and Tomcat validation took less than 10 minutes.

The solution

A Qualys scan was run on the reference environment before and after Waratek installation, with the following results:

After installation in the reference environment, all of the 29 Java 6u19vulnerabilities identified by Qualys were remediated by containerizing the legacy Java 6 version inside an up-to-date and secured Java 8 host.

As a result, the environment could be considered as fully security compliant.

Waratek’s unique approach to application security resulted in the remediation of years of vulnerabilities and the updating of an out-of-date Java JRE without changing a single line of code.

Performance overhead while in normal operating mode improved by nearly 7% and increased by less than 2.5% while under attack.

The application owners can expect to see an elimination of false positives. The company will also gain operational efficiencies from being able to live patch without shutting down the application – reducing patch times, costs and the risks associated with delays in patching.

The results

Vulnerabilities removed
29
Increase in performance
7%
PCI compliance achieved
100%

Waratek's Security-as-Code platform not only found the cryptominer we had, but securely removed it within 48 hours, stopping us from having to rebuild our solution from scratch.

Related case studies

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.