waratek isaca webinar

Why Java Server App Security Should Be Keeping You Up At Night

John Matthew Holt, Waratek, Founder and CTO Prateep Bandharangshi, Waratek, Security Director, Client Security Solutions

Agenda

•  The Appsec challenge

•  Current approaches to App Security and the challenges they face

•  New Approach: Runtime Application Self Protection

•  The future:

–  Zero knowledge required:

•  No threat intelligence required

•  No knowledge of application software required

•  No changes to application code required

•  No security expertise required

•  No reliance on Firewalls (e.g. WAF)

February 2015 ©Waratek

THE APPSEC CHALLENGE


Secure Coding


“There are over 1,000 different types of software weaknesses, most of which are impossible for

developers to avoid without training and development support”

•  State of Developer Application Security Knowledge

•  Aspect Security, September 2014


Several former Home Depot employees said they were not surprised the company had been hacked. They said that over the

years, when they sought new software and training, managers came back with the same response:

“We sell hammers”

- New York Times, September 19, 2014


Legacy Java

•  Most enterprises have large numbers of applications running on older, legacy Java versions.

•  Updating these apps to the current Java edition is often risky, time consuming, and expensive.

19%

1%

5%

13%

52%

10%

Java versions detected through enterprise

endpoints

Other

Java 3.x

Java 4.x

Java 5.x

Java SE 6

Java SE 7

Bit9, 2013, Java Vulnerabilities, Write Once, Pwn Anyware


Your Apps are the windows to your Data!


CURRENT APPROACHES


The Current Option Set Misses an Opportunity"

Great potential, limited coverage hard in practice

Lots of $$$ spent, lowest value Perimeter securityi.e. WAF"

OS"

Run Time VM"

Application"


“More Secure Application Coding” Cannot Solve The Problem"

•  Relatively little application code (<20%) is written and controlled by the enterprise"–  3rd party libraries heavily used and often open sourced"–  Application servers and frameworks (JBOSS, Websphere,

Weblogic, Tomcat, etc.)"–  Java APIs "–  Purchased software packages"

OS/Network"

JVM"

Java APIs"(JRE)"

Servers, Frameworks"(JEE)"

3rd Party Libraries"

Custom Business Logic"(WARs, EJBs, JARs)"


Source: 2014 Sonatype Open Source and Application Security Survey February 2015 ©Waratek

Third Party Framework


Struts2 CVEs

The struts2 framework has had 10 CVEs discovered in the last two years with a

CVSS score of 9 or 10

•  CVE = Common Vulnerabilities and Exposures

•  CVSS = Common Vulnerability Scoring System


Application Security Testing

•  You cannot rely on more secure coding as a mean of defence

•  An average application has 100s of vulnerabilities

•  Each vulnerability can take from 1-5 days to fix

….that’s a lot of work

•  Only covers business logic

•  It tells you your application has a problem, but doesn’t fix it

•  It doesn’t understand what an application expects

OS/Network"

JVM"

Java APIs"(JRE)"

Servers, Frameworks"(JEE)"

3rd Party Libraries"

Custom Business Logic"(WARs, EJBs, JARs)"


Web Application Firewall

•  Doesn’t understand application behavior

•  Rely on regular expressions and string comparisons = very inaccurate

•  False Positives

•  The perimeter is already breached

•  Insider attack


mod_security"

•  ModSecurity is an open source, cross-platform web application firewall (WAF) module"

•  Trustwave is the primary developer and custodians of ModSecurity and leaders of the OWASP ModSecurity Core Rule Set Project"


SQL Injection

String id = request.getParameter("id");

String sql = "SELECT * FROM users WHERE id= '" + id + "'";

SQL Injection attacks leverage poor input validation, and remain right at the top of the OWASP Top 10 (“A1 – Injection”).!


SQL Injection

http://example.com/page.jsp?id=1' OR 1=1--

http://example.com/page.jsp?id=1%27%20OR%201=1--

SELECT * FROM users WHERE id = '1' OR 1=1--'


RUNTIME APPLICATION SELF PROTECTION (RASP)


Runtime Application Self Protection (RASP)

•  In 2012 Joseph Feiman, Gartner Fellow and Analyst, identified this new category of application security as a ‘Must-Have Emerging Technology’

•  In 2014 his report ‘Stop Protecting Apps, It’s Time For Apps To Protect Themselves’ was given ‘Maverick Status’ by Gartner Analysts

‘Modern security fails to test and protect all apps. Therefore, apps must be capable of security self-testing, self-diagnostics and self-protection.

It should be a CISO top priority’


What is Rasp and why is it better

•  Zero knowledge required: •  No threat intelligence required

•  No knowledge of application software required

•  No changes to application code required

•  No security expertise required

•  No reliance on Firewalls (e.g. WAF)

•  Minimal performance overhead


RASP = Application Intelligence

•  Rasp can avail of real-time application intelligence that no other technology has access to today

•  For example RASP can leverage taint detection to observe the flow of untrusted data coming into the application from an external user to find where that untrusted data exits the application

•  RASP can accurately detect attacks such as SQL injection, XSS, OS command injection, Path traversal etc – no more false positives

•  RASP can stop unknown Zero Day Attacks


THE FUTURE: AUTOMATIC SQL INJECTION PROTECTION


Automatic Protection Demonstration

•  Waratek is a leading implementation of RASP technology

•  Waratek provides automatic SQL injection protection with no code changes, no tuning, no false positives


The Future is Now

•  Automatically Stop SQL injection NOW, with no code changes, tuning or false positives

•  Automatic protection for any application new or old, internally developed or third party apps

•  Minimal performance overhead

•  Enterprise deployment and Cloud portable

•  Zero knowledge required:

–  No threat intelligence required

–  No knowledge of application software required

–  No changes to application code required

–  No security expertise required

–  No reliance on Firewalls (e.g. WAF)


http://waratek.com/isaca-rasp-webinar

•  Access free Gartner Maverick White Paper

•  Webinar Slides

•  Webinar Recording

•  Email [email protected]

Try for free on Microsoft Azure

Let your Apps protect themselves
