Protect against Log4J without patching
Learn More
Protect against Log4J without patching
Learn More

UncategorizedNIST SP 800-53 Close to Becoming A Standard - K2 Cyber Security


September 19, 2020 Timothy Chiu, VP of Marketing
NIST SP 800-53 Gets One Step Closer to Becoming a Standard


We wrote earlier this year about the NIST (National Institute of Standards Technologies) draft revision 5 of the SP 800-53 and the inclusion of both RASP and IAST as requirements for the Application Security Framework. Draft 5 of SP 800-53 closed its comment period back in May, and SP 800-53B was released shortly afterwards in July of 2020, and opened its comment period, which has just closed on September 11, 2020, moving SP 800-53B one step closer to becoming a standard.

As indicated by the abstract, “this publication provides security and privacy control baselines for the Federal Government.” In addition it is estimated anywhere from 30 to 50 percent of enterprises also use this framework for their security architecture.

Continuing over into the latest draft of SP 800-53B,  are 2 new inclusions that have found a home in the NIST standard:

  • SI-7(17), which addresses a need for Runtime Application Self-Protection (RASP)
  • SA-11(9), including a requirement for Interactive Application Security Testing (IAST)

These are the 2 updates which give a new boost to the importance  of application security. The new updates include references to the inclusion and need for interactive application security testing (IAST) and runtime application self-protection (RASP) tools.

With these updates, application security gets new focus as part of the mainstream NIST framework and should help developers catch security flaws before an application is launched.

If you’re wondering how this new framework might affect you or your organization, here’s a recommendation from a recent article in the National Law Review:

Putting it Into Practice: Federal contractors should pay close attention to these guidelines as these new security and privacy baselines will be applied to any federal information system used or operated by a contractor on behalf of an agency, or another organization on behalf of an agency. Companies in the private sector should pay attention as well, as NIST guidance is often used as a basis for industry standards in security and privacy.

If you’re not familiar with RASP, K2 published a blog recently titled “What is RASP? and Why Should You Care?,”  where you can find detailed information how RASP can enhance your application security framework.  We haven’t tackled the topic of IAST in this particular blog article, but look for one coming soon as part of K2’s educational blog series.

RASP solutions like the one from K2 Cyber Security offer significant application protection while at the same time using minimal resources and adding negligible latency to an application.   K2 Security Platform uses runtime deterministic security to monitor the application and has a deep understanding of the application’s control flows, DNA and execution.  By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack.  Deterministic security results in the detection of sophisticated zero day attacks and also protects from application from the risks listed in the OWASP Top Ten, including XSS and SQL Injection.

K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security in an easy to use, easy to deploy solution.  K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application.  To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.

Change how you develop and protect your applications.

Find out more about K2 today by requesting a demo, or get your free trial.



Share this

Leave a Reply

Your email address will not be published. Required fields are marked *


K2 Cyber Security delivers the Next Generation Application Security Platform to secure web applications and container workloads against sophisticated attacks in OWASP Top 10 and provides exploitable vulnerability detection during pre-production. K2’s Platform is deployed on production servers for runtime protection of applications and on pen-testing/pre-production/QA servers for interactive application security testing to identify the location of the vulnerable code. K2’s solution generates almost no false positives, eliminates breaches due to zero-day attacks, detects attacks missed by traditional security tools like Web Application Firewalls and host based EDR, finds missed exploitable vulnerabilities and dramatically reduces security cost. K2 Cyber Security is headquartered in the USA and provides cyber security solutions globally.


K2 Cyber Security, Inc.

2580 N. First Street, #130

San Jose, CA 95131