Solution

Insecure Deserialization

Waratek’s Security-as-Code platform wholly and automatically protects the entire application stack against Java deserialization attacks

Your challenge

Serialization is widespread across APIs, microservices, and client-side MVC. Deserialization is the reverse process that converts the serialized stream of bytes back to an object in the machine's memory.

The main driver for this vulnerability is a dangerous class in the Apache Commons Collection library: `InvokerTransformer`. However, disabling this class is not the proper way to solve the deserialization of untrusted data and might break the application.

Other recommended approaches might reduce the impact of a deserialization attack but do not protect against blind attacks for data exfiltration or Denial of Service deserialization attacks.

The solution

Using Waratek’s Security-as-Code platform and turning on the declarative “Deserial” rule wholly and automatically protects the entire application stack against Java deserialization attacks, known or unknown (zero-day).

Waratek achieves this level of protection by creating a dynamic, restricted compartment inside its platform. This restricted compartment is active for the duration of each deserialization operation and afterward, such as during garbage collection. The restricted compartment allows any legitimate functionality to run normally but prohibits any gadget chain from abusing and compromising the system. The feature allows the InvokerTransformer to be used generally by systems that depend on this functionality without compromising the system by any malicious gadget chains.

Waratek products used

As a Public company, protecting our enterprise applications is a high priority and Waratek has played a significant role in achieving that goal.

Push-button immutable security

Push-button immutable security

Waratek achieves 100% accuracy with zero false positives against insecure deserialization vulnerabilities at the push of a button by creating a dynamic restricted compartment. This compartment is active for the duration of each deserialization operation and afterward during garbage collection. The restricted compartment allows any legitimate functionality to run normally but prohibits any gadget chain from abusing and compromising the system.

Customer success story

Global commercial real estate company

Zero-day protection
24/7
Coverage of OWASP Top 10 and SANS 25
100%
Reduction in false positives
100%

Why Waratek

Companies use Waratek Secure to ensure a hardened level of security posture across all of their apps and maintain agility in the software development lifecycle

Read case study
Eliminate toil spent on false positives and negatives
Mitigate risk of vulnerability regressions after deployment
Modernize legacy apps to secure EOL language versions
Automate the remediation of code vulnerabilities

Featured resource

Security in the CI/CD Pipeline vs. Security-as-Code: which lowers risk more?

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.