One of the most common issues with security testing of applications is being inundated with vulnerability reports, containing too many vulnerabilities for a typical development team to handle. This includes reports from testing tools like SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing).
The problem isn’t just the volume of vulnerabilities, but the difficulty in determining which vulnerabilities are real (as opposed to false positives), which are just informational, which are severe or critical, which actually exist in the application (as opposed to just in a library that’s included but not used by the application), and perhaps most importantly which vulnerabilities are actually exploitable.
What we often hear at K2 Cyber Security, is that if the organization had a tool that could provide only vulnerabilities that included proof of exploitability, a full exploit payload, could assist in pinpointing the location of the vulnerability in the code, and provide a stack trace for developers, that tool would meet most of their needs for remediating vulnerabilities during pre-production.
We’ve helped organizations find real critical exploitable vulnerabilities, provide proof of vulnerability and help them prioritize their remediation efforts, so their developers are making the best use of their time. In case you’re wondering how this is possible, it’s through the use of next generation application security technology known as Runtime Application Self-Protection (RASP) and Interactive Application Security Testing (IAST). Using the K2 Security Platform’s agent technology during existing DAST and penetration testing provides IAST results to the organization, focusing on critical vulnerabilities with proof of exploitability, full payload to replicate the exploit, as well as pinpointing the location of the vulnerability in the code.
Take a Page from NIST to Improve Application Security
Don’t just take our word for it, the National Institute of Standards and Technology (NIST), just finalized their Security and Privacy Framework, SP800-53 and released on September 23, 2020. The new security and privacy framework standard now requires Runtime Application Self-Protection (RASP) and Interactive Application Security Testing (IAST) as added layers of security in the framework. It’s a first in recognizing these two advancements in application security by now requiring them as part of the security framework.
K2 has actually previously written about adding a RASP agent to DAST testing to get IAST results from security testing. A RASP solution sits on same server as the application, and provides continuous security for the application during runtime. By running on same server as the application, RASP solutions provide continuous security for the application, even when it’s under DAST testing. For example, as mentioned earlier, a RASP solution has complete visibility into the application, so a RASP solution can analyze an application’s execution to validate the execution of the code, and can understand the context of the application’s interactions, giving RASP the ability to provide details like line of code visibility, proof exploitability, and a full payload to replicate an exploit.
IAST is the other new recommendation for application security coming from the NIST revised draft, and if you haven’t heard of IAST, there’s a good definition available from Optiv
“IAST is an emerging application security testing approach which combines elements of both of its more established siblings in SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing). IAST instruments the application binary which can enable both DAST-like confirmation of exploit success and SAST-like coverage of the application code. In some cases, IAST allows security testing as part of general application testing process which provides significant benefits to DevOps approaches. IAST holds the potential to drive tests with fewer false positives/negatives and higher speed than SAST and DAST.”
With these two new requirements (RASP and IAST) for application security being added to the NIST framework, it’s really time to rethink how your organization is doing application security.
Here at K2 Cyber Security, we’d like to help out with your RASP and IAST requirements. K2 offers an ideal runtime protection security solution that detects true zero-day attacks, while at the same time generates the least false positives and alerts. Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, we use a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge. Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended. There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has no false alerts.
We’ve also recently published a video, The Need for Deterministic Security. The video explains why the technologies used in today’s security tools, including web application firewalls (WAFs) fail to prevent zero day attacks and how deterministic security fills the need for detecting zero day attacks. The video covers why technologies like artificial intelligence, machine learning, heuristics, fuzzy logic, pattern and signature matching fail to detect true zero day attacks, giving very specific examples of attacks where these technologies work, and where they fail to detect an attack.
The video also explains why deterministic security works against true zero day attacks and how K2 uses deterministic security. Watch the video now.
Change how you protect your applications, include RASP and check out K2’s application workload security.