The National Institute of Security and Technology (NIST), recently released Revision 5 of the SP800-53 Security and Privacy Framework, on September 23, 2020. It is an important update, since SP800-53 hasn’t been updated since Revision 4 was released in April of 2013. While much of the press around this update has been around the privacy controls that have been updated, there are two important new additions to the framework in the area of application security that are important for enterprises and Federal government organizations to understand. Two new security items added to the framework, are in:
- SI-7 Software, Firmware and Information Integrity – Section 17: Runtime Application Self-Protection
- SA-11 Developer Testing and Evaluation – Section 9: Interactive Application Security Testing.
As indicated by the abstract, “this publication provides security and privacy control baselines for the Federal Government.” In addition, it is estimated anywhere from 30 to 50 percent of enterprises also use this framework for their security architecture. NIST calls this an historic update to its security and privacy controls catalog.
These 2 updates give a new boost to the importance of application security. The new updates include references to the inclusion and need for interactive application security testing (IAST) and runtime application self-protection (RASP) tools. With these updates, application security gets new focus as part of the mainstream NIST framework and should help developers catch security flaws before an application is launched. If you are wondering how this new framework might affect you or your organization, here’s a recommendation from a recent article in the National Law Review:
Putting it Into Practice: Federal contractors should pay close attention to these guidelines as these new security and privacy baselines will be applied to any federal information system used or operated by a contractor on behalf of an agency, or another organization on behalf of an agency. Companies in the private sector should pay attention as well, as NIST guidance is often used as a basis for industry standards in security and privacy.
In this document we will be focusing on the Runtime Application Self-Protection (RASP) requirement.
When Must Government Agencies Be in Compliance?
Now that SP800-53 Revision 5 has been released in its final form, those with systems in the federal government and those enterprises that work with the federal government may be wondering when they need to be in compliance with the new security framework.
The answer is found in a publication from the Office of Management and Budget (OMB), specifically circular A130. The requirement is that legacy systems have one year from the date of publication to be in compliance, while system in development are required to be in compliance upon deployment. The exact text from A130 is below:
For legacy information systems, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines within one year of their respective publication dates unless otherwise directed by OMB. The one-year compliance date for revisions to NIST publications applies only to new or updated material in the publications. For information systems under development or for legacy systems undergoing significant changes, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines immediately upon deployment of the systems.
If you are looking for the reference it is found on p. 53, Appendix I-16, 5.a.
What is Runtime Application Self-Protection?
Runtime Application Self-Protection or RASP was first introduced in 2012 as a security category by Gartner, but did not gain attention until 2014, during the Gartner Security and Risk Management Summit. The product category RASP describes products that run directly on the server and protects the applications that are running on the same server. RASP is typically a subcategory of the broader category known as Application Security.
If you are not familiar with RASP, it is not a new concept. A RASP solution sits on same server as the application. RASP provides continuous security for the application during runtime to protect vulnerabilities in the application from being exploited by attacks. By residing on the server, a RASP solution has complete visibility into the application, can analyze the application’s execution for better validation, and can understand the context of the application’s interactions. RASP solutions benefit by being close to the application in a way that network perimeter security solutions can not.
RASP solutions have improved significantly over time, and some of the latest RASP solutions, implement security technologies that are more efficient, have minimal impact to applications, and are more effective at zero day attack detection. There are a number of features in addition to zero day attack detection and protection that RASP solutions have evolved to solve. The list of features required for application security for a typical RASP include:
- Protection for the OWASP Top 10 Web Application Security Risks
- Memory-based Attack Protection
- Zero Day Attack Protection
- Realtime Attack Blocking
The OWASP Top 10 remains a primary concern of application security professionals and even though the list of top 10 risks has been around since 2003, many of the items on the list have been on the list through all the revisions of the top 10 list through the current version published most recently in 2019. For example, two types of vulnerabilities that have been on the OWASP Top 10 since its inception and still remain considerable concerns for organizations include Cross Site Scripting and SQL Injection.
Memory based attacks on the other hand has been growing over time to become a significant concern, and the number of memory based attacks has increased to the point that they now exceed malware based attacks. Zero day attacks have also been increasing over time, and remain one of the more difficult attacks to detect, resulting in the many breaches we continue to see in the news.
RASP solutions are ideally located to protect against these risks and attacks. By residing on the server, RASPs also serve as the last line of defense for these attacks.
Why RASP and Network Security are Both Required
Another reason RASP has not been able to make as much headway as one would expect, is the mistaken belief that a Web Application Firewall (WAF) is providing the necessary security for applications. While WAFs have been around in their current form since around 2002, WAFs function as a network perimeter security solution and they have failed to meet the security needs around many of the issues that applications face in today’s threat landscape. With RASP’s code level visibility into the application and ability to analyze all the activity related to the application to accurately identify when attack occurs, RASPs can detect attacks where WAFs fail. Unlike WAFs which only see the traffic coming to and from the server, a RASP can see what is happening inside the application, to determine if there’s inappropriate use of the application itself. RASP is really the first security category to offer self protection for the application.
RASP solutions like the one from K2 Cyber Security offer significant application protection while at the same time using minimal resources and adding negligible latency to an application. K2 Security Platform uses runtime deterministic security to monitor the application and has a deep understanding of the application’s control flows, DNA and execution. By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack. Deterministic security results in the detection of sophisticated zero day attacks and also protects from application from the risks listed in the OWASP Top Ten, including XSS and SQL Injection.
K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security in an easy to use, easy to deploy solution. K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application. To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.
K2 can protect the application using real-time blocking of the attacker, and can also integrate with leading firewalls, like the SRX family of firewalls from Juniper to block attackers at the network edge. The integrated solution provides a complete defense-in-depth security solution for Juniper environments.
Using K2 as a RASP, you will find and protect vulnerabilities in deployed applications and meet the needs of the NIST requirements for runtime protection for applications.