A new article on WNEP is reporting on experts who claim that cyber attacks are getting worse. Not surprising at the top of the list is ransomware attacks., which have made headlines, crippling healthcare computer systems, 9-1-1 centers, stopping work on gas pipelines, and more.
And while ransomware attacks are top of mind, they’re not the only attacks that are happening today. According to the Verizon Data Breach Incident Report for 2021, when hackers attack in a data breach 90% of the time, the vector used to breach is through web applications.
Web application security risks remain top of mind at OWASP as well, they finally released a draft update of the Top 10 Web Application Risks, and this year Mitre also updated their Top 25 Most Dangerous Software Bugs, also known as the CWE Top 25. One of the interesting things to note about the updated list, is that common vulnerabilities still feature prominently. Combine these indicators with the Verizon report and there’s good indication that we’ve made little progress in improving the security of our web applications, as has been indicated by other recent studies.
The most popular attacks on web applications remain those that have been around almost since the dawn of the public internet. Until development and testing teams are able to internalize some of the most significant vulnerabilities, including ones like Cross Site Scripting, SQL Injection and others. and develop strategies to reliably counter them, they rely instead on security measures like web application firewalls to protect against attacks on software vulnerabilities. Unfortunately as we’ve discussed in other blog articles, in recent years, WAFs are failing to protect applications.
RASP and IAST added to Security Framework
The continued prevalence of serious application vulnerabilities and the failure of typical security tools like WAFs to protect applications is one of the reasons that NIST has updated their Security and Privacy Framework outlined in NIST SP800-53.
The big change for application security in Revision 5 of the security and privacy framework was the addition of RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing). It was a first in recognizing these two advancements in application security by now requiring them as part of the NIST security framework.
While it’s been a year since the standard has been finalized it’s probably too soon to be able to say the new requirements are a success. We do know that in the last year breaches and attacks have increased. The increase in attacks and breaches should convince any organization that it’s time to re-evaluate their security and the NIST framework offers a template for organizations to adopt the same level of security used by federal agencies.
Here at K2 Cyber Security, we’d like to help out with your RASP and IAST requirements. K2 offers an ideal runtime protection security solution that detects true zero-day attacks, while at the same time generates the least false positives and alerts. Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, we use a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge. Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended. There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has no false alerts.
We’ve also recently published a video, The Need for Deterministic Security. The video explains why the technologies used in today’s security tools, including web application firewalls (WAFs) fail to prevent zero day attacks and how deterministic security fills the need for detecting zero day attacks. The video covers why technologies like artificial intelligence, machine learning, heuristics, fuzzy logic, pattern and signature matching fail to detect true zero day attacks, giving very specific examples of attacks where these technologies work, and where they fail to detect an attack.
The video also explains why deterministic security works against true zero day attacks and how K2 uses deterministic security. Watch the video now.
Change how you protect your applications, include RASP and check out K2’s application workload security.