Saving Time and Costs with Virtual Patching and Legacy Application Modernizing

Similar documents
Application Security Using Runtime Protection

Is Runtime Application Self Protection (RASP) too good to be true?

An Introduction to Runtime Application Self-Protection (RASP)

An Introduction to the Waratek Application Security Platform

Continuously Discover and Eliminate Security Risk in Production Apps

Protect your apps and your customers against application layer attacks

Waratek Runtime Protection Platform

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

OWASP Top 10 The Ten Most Critical Web Application Security Risks

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Runtime Application Self-Protection (RASP) Performance Metrics

ShiftLeft. Real-World Runtime Protection Benchmarking

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Product Security Program

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

CONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WHITEPAPER

INTERACTIVE APPLICATION SECURITY TESTING (IAST)

V Conference on Application Security and Modern Technologies

WHITEHAT SENTINEL PRODUCT FAMILY. WhiteHat Sentinel Product Family

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

SIEMLESS THREAT MANAGEMENT

Copyright

FOUR WAYS TO IMPROVE ENDPOINT SECURITY: MOVING BEYOND TRADITIONAL APPROACHES

RiskSense Attack Surface Validation for Web Applications

WEB APPLICATION VULNERABILITIES

Imperva Incapsula Website Security

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Vulnerability Signature Update

Reducing the Cost of Incident Response

Application Security at Scale

TRIPWIRE VULNERABILITY RISK METRICS CONNECTING SECURITY TO THE BUSINESS

WHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

SOLUTION BRIEF. RiskSense Platform. RiskSense Platform the industry s most comprehensive, intelligent platform for managing cyber risk.

Vulnerabilities. To know your Enemy, you must become your Enemy. Information security: Vulnerabilities & attacks threats. difficult.

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

The Divine and Felonious Nature of Cyber Security

McAfee Endpoint Threat Defense and Response Family

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

Securing Production Applications & Data at Runtime. Prevoty

Mitigating Java Deserialization attacks from within the JVM

Fortify Software Security Content 2017 Update 4 December 15, 2017

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

McAfee Complete Endpoint Threat Protection Advanced threat protection for sophisticated attacks

8 Must Have. Features for Risk-Based Vulnerability Management and More

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Traditional Security Solutions Have Reached Their Limit

Penetration testing.

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

Oracle E-Business Suite and Java Security What You Need to Know

Engineering Your Software For Attack

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

BUFFERZONE Advanced Endpoint Security

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database

How your network can take on the cloud and win. Think beyond traditional networking toward a secure digital perimeter

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

BUFFERZONE Advanced Endpoint Security

Vulnerability Management From B Movie to Blockbuster Rahim Jina

C1: Define Security Requirements

CLOUD WORKLOAD SECURITY

Chapter 5: Vulnerability Analysis

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Development*Process*for*Secure* So2ware

INTRODUCING SOPHOS INTERCEPT X

WHITE PAPER. Best Practices for Web Application Firewall Management

State of Software Security Report Volume 2. Jeff Ennis, CEH Solutions Architect Veracode

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

White paper. Keys to Oracle application acceleration: advances in delivery systems.

Datacenter Security: Protection Beyond OS LifeCycle

CipherCloud CASB+ Connector for ServiceNow

How WebSafe Can Protect Customers from Web-Based Attacks. Mark DiMinico Sr. Mgr., Systems Engineering Security

How AlienVault ICS SIEM Supports Compliance with CFATS

Shortcut guide to Web application firewall deployment

Click to edit Master title style. DIY vs. Managed SIEM

SIEM: Five Requirements that Solve the Bigger Business Issues

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Hacking Web Sites OWASP Top 10

Managed Application Security trends and best practices in application security

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

See What You ve Been Missing

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Comodo Certificate Manager

Secure Access & SWIFT Customer Security Controls Framework

ORACLE MANAGED CLOUD SECURITY SERVICES - SERVICE DESCRIPTIONS. December 1, 2017

Combating Today s Cyber Threats Inside Look at McAfee s Security

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

epldt Web Builder Security March 2017

Transcription:

Case Study Virtual Patching/Legacy Applications May 2017 Saving Time and Costs with Virtual Patching and Legacy Application Modernizing Instant security and operations improvement without code changes Watarek.com Copyright Waratek 2017 All Rights Reserved

Background A global financial institution evaluated how Waratek s virtualization based-application Security Platform instantly and seamlessly modernizes, hardens, and protects mission critical web applications. Two separate Java applications hosted on different versions of Java Virtual Machines were selected as the candidate applications for evaluation. Under the test plan, Waratek was required to protect the full application stack, including 3 rd party components as well as remediate legacy, current and new application security vulnerabilities. Waratek was also evaluated on other client criteria such as False Positive Rate (FPR), ease of installation, number of code changes required, compatibility and performance. Test Results For both applications, Waratek achieved the following results: Simple, fast deployment in less than 30 minutes All security tests: Passed Active security controls: Protected against future threats (0-day) in all layers of application stack Legacy applications: Transparently updated to Java 8 without code changes Internal performance result: Passed All functional tests: Passed False Positive Rate: 0 Code Changes Required: 0 Specific test results include: Full Application Stack Protection Prior to the evaluation, Waratek did not have any visibility into known vulnerabilities in the two applications to be tested or if any known vulnerabilities were repeatedly exploitable. To effectively demonstrate the capabilities of the technology, Waratek introduced deliberate vulnerabilities with the support of the client that corresponded to the following items on the SANS list of Most Dangerous Software Errors 1 : 1 https://cwe.mitre.org/top25/ 2

Vulnerability CWE SANS Ranking Command Injection CWE-78 2 Cross Site Scripting (XSS) CWE-79 4 Unrestricted Uploads CWE-434 9 Path Traversal CWE-22 13 Use of Broken Crypto CWE-327 19 Open Redirect CWE-601 22 Deserialization of Untrusted Data CWE-502 - In each case, Waratek successfully intercepted and prevented attempts to exploit the test vulnerabilities. Legacy Java Remediation The test applications run on significantly out of date Java 7 platforms dating back to 2013. There are currently hundreds of known critical vulnerabilities present in this version of Java. In April 2015, Oracle ended public support for the Java 7 platform. Because Waratek did not have any visibility into known vulnerabilities in the two applications to be tested prior to the onsite trial, Waratek conducted a Nessus vulnerability scan against a similar system that revealed: A total of 17 Nessus vulnerabilities, 13 of them ranked as critical 387 distinct CVEs were identified ALL CVEs had a CVSS score of 9.3 or 10 In both application instances, the Waratek agent (a.jar file) was downloaded and easily installed. Upon restart, a virtual container encapsulated the full application stack, providing instant modernization of the Java 7 JRE to a Java 8 JRE - resulting in immediate protection against vulnerabilities in the significantly out of date and insecure Java platforms. In addition, default security policy significantly minimised exposure relating to vulnerabilities in third-party libraries, meeting the Company s test criteria. 3

Benefits Waratek demonstrated five principal benefits during the evaluation of the test applications: 1. Instant Application Modernization The test applications were transformed into Java 8 applications by virtualizing the legacy Java 7 JRE inside a Java Runtime Container on top of an up-to-date Java 8 JVM. Security policy was then applied to minimise the attack surface of the applications. At the conclusion of the test, the client remarked: Implementing Waratek will give us a threeyear breathing space to catch up on application development." 2. Live, Virtual Patching Security policies and binary-equivalent virtual patches can be updated and applied without disrupting/restarting application operation and no manual intervention. This allows for instant patching which frees valuable staff and financial resources to be applied to higher value activities. The Company estimates they will realize approximately $2.5M USD in savings from virtual patching, legacy application remediation and risk reduction. 3. Continuous Protection Waratek s security controls provide continuous monitoring and protection for the 2013 OWASP Top Ten as well as other common vulnerabilities like those found in third party software components Apache Struts 1, Apache Struts 2, Apache Commons, for example. 4. Automatic Security Hardening Waratek s built-in application hardening features, such as Default Impact Reduction Rules, Name-Space Layout Randomization (NSLR), and others reduce or eliminate the CVE Severity Scores of known and unknown vulnerabilities that may be present anywhere in an application stack. 5. Full Forensic Data Waratek provides real-time attack alerts to security teams and comprehensive data that guides development teams to vulnerable sections of code. The data is accessed via a customer s SIEM or the Waratek Management Console. Our security logs are generated as an easily parseable delimited text format and include stack traces corresponding with any security event we intercept. 4

Summary Waratek s unique approach to application security resulted in the remediation of all test vulnerabilities and the updating of out-of-date Java platforms without changing a single line of code or post-installation tuning. No prior knowledge of the test application was required to install the Waratek agent, which took less than 30 minutes to fully deploy. The application owners can expect to see an elimination of false positives due to the virtualization approach to runtime protection. During two years of live production, Waratek has never reported a false positive. Performance overhead while under attack averages 3%. Other clients have seen performance improvements during normal operations after modernizing applications on out-of-date platforms. The Company will also gain operational efficiencies from being able to live patch without shutting down the application - reducing patch times, costs and the risks associated with delays in patching. About Waratek Waratek is highly accurate, easy to install, simple to operate and does not slow application performance while providing protection against known and unknown vulnerabilities and exploits in current and legacy software. Waratek takes application security programs beyond a WAF without using heuristics. Based on patented virtualization technology, Waratek s application security platform produces zero false positives, requires no code changes, tuning or instrumentation, and takes minutes to install - providing instant protection from the OWASP Top Ten as well as Zero Day attacks. These are benefits that cannot be provided by current WAF or emerging technologies like RASP using instrumentation or filters. Named by Computer Defense Magazine as the 2017 Application Security Leader and 2016 s Best Application Security Solution by Government Security News, Waratek is the winner of the 2015 RSA Innovation Sandbox Award and a dozen other media and industry awards. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback