ComputerWeekly reported back in May that more data records were stolen in January 2021 than in all 12 months of 2017. 878.17 million records were stolen in January, reflecting the continued increase in cyber attacks and putting 2021 to be on track to be a record year for data breaches.
ComputerWeekly’s data comes from a new report published by Imperva. The report concluded that data breaches are accelerating and growing in size. While the source and cause of data breaches varies, there are a few common reasons why organizations continue to suffer losses of data.
Breaches may arise from misconfiguration, vulnerabilities in applications, password theft from phishing or brute force attacks, third party vendor lapses in security, and insider activity (whether malicious or not in intent).
While making sure your organization has security measures in place for all of these avenues of possible data loss, one that tends to be overlooked in many organizations is runtime protection for vulnerabilities that exist in applications in production. If these applications are on-premises, there’s an assumption that the on-premises firewall or WAF (web application firewall) is providing the runtime security, and if the application is running in the cloud, there’s an assumption the cloud provider is securing your application.
But both of these assumptions would be incorrect. While firewalls and WAFs can provide network level security and even help with well understood SaaS applications, they typically have no understanding of custom applications or the possible vulnerabilities in these applications that are running in a typical organization, and even less understanding of how to protect a running custom application from active attacks.
Since there’s a lack of focus on security for running applications, then maybe it’s time to rethink the way organizations approach application security, both during development and in production. The release of a new NIST SP800-53 Revision 5 Security and Privacy Framework is a good indication that things need to change and gives us insight as to what the next generation of application security is going to look like.
The latest revision of NIST SP800-53 includes the requirement of RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing). It’s a first in recognizing these two advancements in application security by now requiring them as part of the security framework.
A typical RASP solution has code level visibility into the application and can analyze all the activity related to the application to accurately identify when an attack occurs, thereby reducing the amount of false positives. Unlike WAFs which only see the traffic coming to and from the server, a RASP can see what’s happening inside the application, to determine if there’s inappropriate use of the application itself. In addition, RASP is really the first security category to offer self protection for the application.
By running on same server as the application, RASP solutions provide continuous security for the application during runtime. For example, as mentioned earlier, a RASP solution has complete visibility into the application, so a RASP solution can analyze an application’s execution to validate the execution of the code, and can understand the context of the application’s interactions.
IAST is the other new recommendation for application security coming from the NIST revised draft, and if you haven’t heard of IAST, there’s a good definition available from Optiv:
“IAST is an emerging application security testing approach which combines elements of both of its more established siblings in SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing). IAST instruments the application binary which can enable both DAST-like confirmation of exploit success and SAST-like coverage of the application code. In some cases, IAST allows security testing as part of general application testing process which provides significant benefits to DevOps approaches. IAST holds the potential to drive tests with fewer false positives/negatives and higher speed than SAST and DAST.”
With these two new requirements (RASP and IAST) for application security being added to the NIST framework, it’s really time to rethink how your organization is doing application security.
Here at K2 Cyber Security, we’d like to help out with your RASP and IAST requirements. K2 offers an ideal runtime protection security solution that detects true zero-day attacks, while at the same time generates the least false positives and alerts. Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, we use a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge. Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended. There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has no false alerts.
K2’s technology can also be used with DAST testing tools to provide IAST results during penetration and vulnerability testing. We’ve also recently published a video, The Need for Deterministic Security. The video explains why the technologies used in today’s security tools, including web application firewalls (WAFs) fail to prevent zero day attacks and how deterministic security fills the need for detecting zero day attacks. The video covers why technologies like artificial intelligence, machine learning, heuristics, fuzzy logic, pattern and signature matching fail to detect true zero day attacks, giving very specific examples of attacks where these technologies work, and where they fail to detect an attack.
The video also explains why deterministic security works against true zero day attacks and how K2 uses deterministic security. Watch the video now.
Change how you protect your applications, include RASP and check out K2’s application workload security.