GUEST ESSAY: The many benefits of infusing application security during software ‘runtime’

By Pravin Madhani

Vulnerabilities in web applications are the leading cause of high-profile breaches.

Related: Log4J’s big lesson

Log4j, a widely publicized zero day vulnerability, was first identified in late 2021, yet security teams are still racing to patch and protect their enterprise apps and services.  This notorious incident highlights the security risks associated with open-source software, and the challenges of protecting web applications against zero day attacks.

To improve web application security, there are basic steps an organization should take:

•Security test earlier in the development cycle

•Make sure that software and operating systems are kept up to date and patched

•Utilize a multi-layered, defense-in-depth approach.

However, the most significant protection against zero day and other attacks comes from using security technologies that sit very close to how your application works. Security solutions like runtime application protection provide the context, visibility and control to identify and block new zero-day attacks launched against your applications.

How ‘runtime’ works

Unlike traditional end point and network security solutions such as EDRs and WAFs, which sit on the edge of the network, a runtime security tool, sometimes called a Runtime Application Self-Protection (RASP) solution, sits on the same server as the application, and provides continuous security and protection for the application while it is running.

With complete visibility into the application, a runtime solution is able to directly understand the application’s execution and control flows, and it constantly monitors and analyzes an application’s execution to validate the code is operating correctly.  By continuously assessing for vulnerabilities in the instrumented code in real time, it has the context to identify new zero day attacks just as soon as they happen.

By contrast, traditional security tools that are positioned further from the application, lack complete knowledge and visibility. Such tools must rely on pattern matching, machine learning and signatures from past attacks, resulting in many false alerts and more importantly, missed zero-day attacks.

Runtime security technology also provides greater context and visibility into the attack parameters, enabling runtime tools to pinpoint exactly where the vulnerability exists in the code.  It can help the developer quickly reproduce the attack, resolve the issue in the code, and get the application back up and running in production safely.

Runtime security technologies also provide a final, and perhaps most important, benefit to web applications in production, and that is the ability to block an attack as it is happening.

Unlike matching technologies, which often have false positives, runtime security tools, have the advantage of being closer to the application. This gives the necessary context and visibility to make decisions about when a vulnerability is real and exploitable, and when an application needs to be protected from attack.

The ability to block attacks on vulnerabilities in running code is especially important when you consider that it can take developers substantial time to fix, test, and roll out the remediated code.

Pre-production scrutiny

The benefit of sitting closer to the application also applies in test environments. While there is growing emphasis on shift left, or earlier security testing in software development, traditional application testing tools such as DAST and SAST often provide overwhelming numbers of alerts, including many false positives.

Each of these alerts needs to be analyzed, wasting the security team’s time and resulting in longer debugging cycles.  Without visibility inside the application, it’s impossible to understand if and exactly where a vulnerability occurs within the code, making remediation of vulnerabilities time consuming and laborious.

Madhani

Using a model similar to runtime application security tools, technologies like Interactive Application Security Testing (IAST) use components that reside on the testing server. IAST tools watch the application code as it executes, and can identify and pinpoint the location of a vulnerability down to the filename and specific line of code, enabling a developer to quickly locate the vulnerability for correction.

Some tools, like K2’s Security Platform, take the extra step of probing the application to validate and identify only the exploitable vulnerabilities and provide an associated level of severity. This allows teams to focus on the vulnerabilities that really matter and resolve them quickly.

With more detailed visibility, IAST tools give organizations the ability to identify and address valid issues, allowing their developers to work more effectively. Teams can make educated decisions on the prioritization of vulnerabilities to remediate, which to defer, and which to release to production, while receiving assistance in the detection of false positives produced by their other tools.

By sitting closer to the application, runtime and IAST tools provide security and development teams with the context, visibility and control necessary to release secure software faster to market, and block sophisticated zero-day attacks before they wreak havoc on your company’s mission-critical business.

Isn’t it time to cozy up to your applications?

About the essayist: Pravin Madhani, is co-founder and CEO of K2 Cyber Security. He received his Masters in Computer Engineering from UT at Austin and his Bachelors in Electrical Engineering from IIT at Mumbai. 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone