Case Study Virtual Patching/Legacy Applications May 2017 Saving Time and Costs with Virtual Patching and Legacy Application Modernizing Instant security and operations improvement without code changes Watarek.com Copyright Waratek 2017 All Rights Reserved
Background A global financial institution evaluated how Waratek s virtualization based-application Security Platform instantly and seamlessly modernizes, hardens, and protects mission critical web applications. Two separate Java applications hosted on different versions of Java Virtual Machines were selected as the candidate applications for evaluation. Under the test plan, Waratek was required to protect the full application stack, including 3 rd party components as well as remediate legacy, current and new application security vulnerabilities. Waratek was also evaluated on other client criteria such as False Positive Rate (FPR), ease of installation, number of code changes required, compatibility and performance. Test Results For both applications, Waratek achieved the following results: Simple, fast deployment in less than 30 minutes All security tests: Passed Active security controls: Protected against future threats (0-day) in all layers of application stack Legacy applications: Transparently updated to Java 8 without code changes Internal performance result: Passed All functional tests: Passed False Positive Rate: 0 Code Changes Required: 0 Specific test results include: Full Application Stack Protection Prior to the evaluation, Waratek did not have any visibility into known vulnerabilities in the two applications to be tested or if any known vulnerabilities were repeatedly exploitable. To effectively demonstrate the capabilities of the technology, Waratek introduced deliberate vulnerabilities with the support of the client that corresponded to the following items on the SANS list of Most Dangerous Software Errors 1 : 1 https://cwe.mitre.org/top25/ 2
Vulnerability CWE SANS Ranking Command Injection CWE-78 2 Cross Site Scripting (XSS) CWE-79 4 Unrestricted Uploads CWE-434 9 Path Traversal CWE-22 13 Use of Broken Crypto CWE-327 19 Open Redirect CWE-601 22 Deserialization of Untrusted Data CWE-502 - In each case, Waratek successfully intercepted and prevented attempts to exploit the test vulnerabilities. Legacy Java Remediation The test applications run on significantly out of date Java 7 platforms dating back to 2013. There are currently hundreds of known critical vulnerabilities present in this version of Java. In April 2015, Oracle ended public support for the Java 7 platform. Because Waratek did not have any visibility into known vulnerabilities in the two applications to be tested prior to the onsite trial, Waratek conducted a Nessus vulnerability scan against a similar system that revealed: A total of 17 Nessus vulnerabilities, 13 of them ranked as critical 387 distinct CVEs were identified ALL CVEs had a CVSS score of 9.3 or 10 In both application instances, the Waratek agent (a.jar file) was downloaded and easily installed. Upon restart, a virtual container encapsulated the full application stack, providing instant modernization of the Java 7 JRE to a Java 8 JRE - resulting in immediate protection against vulnerabilities in the significantly out of date and insecure Java platforms. In addition, default security policy significantly minimised exposure relating to vulnerabilities in third-party libraries, meeting the Company s test criteria. 3
Benefits Waratek demonstrated five principal benefits during the evaluation of the test applications: 1. Instant Application Modernization The test applications were transformed into Java 8 applications by virtualizing the legacy Java 7 JRE inside a Java Runtime Container on top of an up-to-date Java 8 JVM. Security policy was then applied to minimise the attack surface of the applications. At the conclusion of the test, the client remarked: Implementing Waratek will give us a threeyear breathing space to catch up on application development." 2. Live, Virtual Patching Security policies and binary-equivalent virtual patches can be updated and applied without disrupting/restarting application operation and no manual intervention. This allows for instant patching which frees valuable staff and financial resources to be applied to higher value activities. The Company estimates they will realize approximately $2.5M USD in savings from virtual patching, legacy application remediation and risk reduction. 3. Continuous Protection Waratek s security controls provide continuous monitoring and protection for the 2013 OWASP Top Ten as well as other common vulnerabilities like those found in third party software components Apache Struts 1, Apache Struts 2, Apache Commons, for example. 4. Automatic Security Hardening Waratek s built-in application hardening features, such as Default Impact Reduction Rules, Name-Space Layout Randomization (NSLR), and others reduce or eliminate the CVE Severity Scores of known and unknown vulnerabilities that may be present anywhere in an application stack. 5. Full Forensic Data Waratek provides real-time attack alerts to security teams and comprehensive data that guides development teams to vulnerable sections of code. The data is accessed via a customer s SIEM or the Waratek Management Console. Our security logs are generated as an easily parseable delimited text format and include stack traces corresponding with any security event we intercept. 4
Summary Waratek s unique approach to application security resulted in the remediation of all test vulnerabilities and the updating of out-of-date Java platforms without changing a single line of code or post-installation tuning. No prior knowledge of the test application was required to install the Waratek agent, which took less than 30 minutes to fully deploy. The application owners can expect to see an elimination of false positives due to the virtualization approach to runtime protection. During two years of live production, Waratek has never reported a false positive. Performance overhead while under attack averages 3%. Other clients have seen performance improvements during normal operations after modernizing applications on out-of-date platforms. The Company will also gain operational efficiencies from being able to live patch without shutting down the application - reducing patch times, costs and the risks associated with delays in patching. About Waratek Waratek is highly accurate, easy to install, simple to operate and does not slow application performance while providing protection against known and unknown vulnerabilities and exploits in current and legacy software. Waratek takes application security programs beyond a WAF without using heuristics. Based on patented virtualization technology, Waratek s application security platform produces zero false positives, requires no code changes, tuning or instrumentation, and takes minutes to install - providing instant protection from the OWASP Top Ten as well as Zero Day attacks. These are benefits that cannot be provided by current WAF or emerging technologies like RASP using instrumentation or filters. Named by Computer Defense Magazine as the 2017 Application Security Leader and 2016 s Best Application Security Solution by Government Security News, Waratek is the winner of the 2015 RSA Innovation Sandbox Award and a dozen other media and industry awards. 5