Six months ago, NIST (National Institute of Standards and Technology) released a new version of their security and privacy framework, which had its last update seven years ago. The new document was released as NIST SP800-53 Revision 5. If you missed this update, you’re not alone, as many organizations we have talked to were unaware of this update. The six month date is significant because NIST sets the frameworks that U.S. Federal government organizations are required to follow, and they are expected to do so within a year from the release of the document. That means if you’re one of the governmental organizations that needs to adhere to SP800-53 or one of the enterprises working with the federal government, you have 6 months left to get into compliance or request a waiver.
RASP and IAST added to Security Framework
The big change for application security in this latest revision of the security and privacy framework is the addition of RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing). It’s a first in recognizing these two advancements in application security by now requiring them as part of the security framework.
When Must Government Agencies Be in Compliance?
Now that SP800-53 Revision 5 has been released in its final form, those with systems in the federal government and those enterprises that work with the federal government may be wondering when they need to be in compliance with the new security framework.
The answer is found in a publication from the Office of Management and Budget (OMB), specifically circular A130. The requirement is that legacy systems have one year from the date of publication to be in compliance, while system in development are required to be in compliance upon deployment. The exact text from A130 is below:
For legacy information systems, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines within one year of their respective publication dates unless otherwise directed by OMB. The one-year compliance date for revisions to NIST publications applies only to new or updated material in the publications. For information systems under development or for legacy systems undergoing significant changes, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines immediately upon deployment of the systems.
If you are looking for the reference it is found on p. 53, Appendix I-16, 5.a.
It’s Time to Start Looking at RASP and IAST
With six months left until the one year mark from the date of publication, it’s time to start looking at RASP and IAST for your organization’s application security needs.
Here at K2 Cyber Security, we’d like to help out with your RASP and IAST requirements. K2 offers an ideal runtime protection security solution that detects true zero-day attacks, while at the same time generates the least false positives and alerts. Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, we use a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge. Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended. There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has no false alerts.
K2’s technology can also be used with DAST testing tools to provide IAST results during penetration and vulnerability testing. We’ve also recently published a video, The Need for Deterministic Security. The video explains why the technologies used in today’s security tools, including web application firewalls (WAFs) fail to prevent zero day attacks and how deterministic security fills the need for detecting zero day attacks. The video covers why technologies like artificial intelligence, machine learning, heuristics, fuzzy logic, pattern and signature matching fail to detect true zero day attacks, giving very specific examples of attacks where these technologies work, and where they fail to detect an attack.
The video also explains why deterministic security works against true zero day attacks and how K2 uses deterministic security. Watch the video now.
Change how you protect your applications, include RASP and check out K2’s application workload security.