Applications More Vulnerable
A recent Ponemon Institute report on application security found that 71% of large enterprise-scale organizations felt their applications have become more vulnerable. Respondents to the survey indicated the organizations they work for are struggling with monitoring, detecting and preventing attacks. The report, entitled “Reducing Enterprise Application Security Risks: More Work Needs to Be Done,” seems to indicate that application security is headed in the wrong direction. For the survey, 634 IT and security professionals were surveyed and results in the survey were compared with the results of a similar survey taken in 2015. Most of the organizations surveyed had over 5,000 employees.
Inability to Monitor and Prevent Attacks at the Application Level
In addition to finding that 71% of organizations reported their application portfolio being more vulnerable than it was a year ago, 63% said they are finding it difficult to reduce the risk to applications because they lack the ability to monitor and prevent attacks at the application level. The inability to monitor and prevent attacks at the application level something most organizations have a problem with, as confirmed by the Ponemon report. It’s not a surprising problem, as applications have moved to the cloud, making visibility into problems on the application level even more difficult.
APM and RASP Provide Visibility at the Application Level
This problem is the one that Application Performance Monitoring (APM) and Runtime Application Self Protection (RASP) solutions are trying to solve. APM solutions are used to let you know about operational problems with your application and RASP solutions let you know about security problems. The industry is quickly realizing that both solutions together are needed to ensure the uptime and smooth operation of applications, as indicated by the recent announcements around APM and RASP by industry leaders.
Inability for Development and Security Teams to Communicate
The Ponemon report also found that it is common for development and security teams to have little to no communication with each other. The inability for development teams and security teams to communicate is one that starts with the available data for those teams to share. Quite often, when a security team reports that a security tool has found a vulnerability and reports it to the development team to get that vulnerability fixed, there’s not much communication, because there’s not much detail available for the security team to share. While a typical security tool may report about an attack and its associated vulnerability, most tools can provide few details on the vulnerability to help a developer address and remediate the vulnerability quickly.
RASP Can Help Improve Developer and Security Team Communications
This is another area where a RASP solution can help. With the higher visibility provided by RASP solutions, when a vulnerability is discovered, the RASP solution can provide the comprehensive telemetry needed by developers to find, reproduce and fix vulnerabilities quickly. For example, the RASP solution from K2 Cyber Security, K2 Security Platform, provides significant detail on the vulnerabilities that are discovered by the platform, and include details like the file name that has the vulnerability, the specific line of code where the vulnerability resides, a full payload to reproduce the attack that triggered the vulnerability, a stack trace, and all the details around the application and application server where the attack took place. With these details, a developer can much more quickly find, reproduce and fix a vulnerability.
NIST also finds Application Security Needs More Attention
The latest revision of NIST SP800-53 includes additional requirements around application security, including RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing). It’s a first in recognizing these two advancements in application security by now requiring them as part of the security framework.
With these two new requirements (RASP and IAST) for application security being added to the NIST framework, it’s really time to rethink how your organization is doing application security.
Here at K2 Cyber Security, we’d like to help out with your RASP and IAST requirements. K2 offers an ideal runtime protection security solution that detects true zero-day attacks, while at the same time generates the least false positives and alerts. Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, we use a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge. Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended. There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has no false alerts.
K2’s technology can also be used with DAST testing tools to provide IAST results during penetration and vulnerability testing. We’ve also recently published a video, The Need for Deterministic Security. The video explains why the technologies used in today’s security tools, including web application firewalls (WAFs) fail to prevent zero day attacks and how deterministic security fills the need for detecting zero day attacks. The video covers why technologies like artificial intelligence, machine learning, heuristics, fuzzy logic, pattern and signature matching fail to detect true zero day attacks, giving very specific examples of attacks where these technologies work, and where they fail to detect an attack.
The video also explains why deterministic security works against true zero day attacks and how K2 uses deterministic security. Watch the video now.
Change how you protect your applications, include RASP and check out K2’s application workload security.