waratek overview 2016
TRANSCRIPT
© Copyright 2016 Copyright 2016 Waratek Ltd
Can you improve your application availability and provide accurate, fast remediation of
security vulnerabilities?
© Copyright 2016
“More Secure Application Coding” Cannot Solve the Problem!
• We can’t rely on developers to write secure code
• Even if they do write, perfect, secure code, YOUR developers are only responsible for < 20% of the code that you actually run
• Large enterprises can identify far more vulnerabilities than they can actually fix. Tens of Thousands of vulnerabilities reported by SAST/DAST is not atypical in a large enterprise
• Patching and updating everything is often wholly unrealistic
© Copyright 2016
Runtime Application Self-Protection (RASP)
“Modern security fails to test and protect all apps. Therefore, apps must be capable of security self-testing, self-diagnostics and self-protection. It should be a CISO top priority.” Stop Protecting Your Apps; It's Time for Them to Protect Themselves - September 2014
© Copyright 2016
Runtime Application Self-Protection (RASP)
“We need to look at new technologies which enable applications to defend themselves, known as Runtime Application Self Protection.” “Investment in RASP should be prioritized over the $12bn per annum spent on WAF, NGFW, IPS.”
© Copyright 2016
Runtime Application Self Protection
Gartner rate RASP as transformational and place it at the top of their priority matrix.
benefit years to mainstream adoption
less than 2 years 2 to 5 years 5 to 10 years more than 10 years
transformational Runtime Application Self-Protection
high Dynamic Application Security Testing
Fraud Detection
Mobile Data Protection for Workstations
Static Application Security Testing
Static Data Masking
Application Security as a Service
Cloud Access Security Brokers
Database Audit and Protection
Interactive Application Security Testing
Mediated APIs
Mobile Application Security Testing
SOA Testing
User and Entity Behavior Analytics
DevSecOps
moderate Application Control
Enterprise Mobile App Stores
SIEM
Tokenization
Application Obfuscation
Application Security Professional Services
Application Shielding
Dynamic Data Masking
Mobile Threat Defense
Protected Mobile Browsers
Software Composition Analysis
Web Application Firewalls
Application Vulnerability Correlation
Crowdsourced Security Testing Platforms
Format Preserving Encryption
Mobile Application Hardening
low Source: Gartner Hype Cycle for Application Security, July 2016 Priority Matrix for Application Security
© Copyright 2016
Java highest area of concern
SANS State of application security 2015
SANS State of application security 2015
”… risks arise because these languages are the ones commonly used to build big, feature-rich, business-critical applications with a lot of valuable code, especially legacy code written by developers who didn’t understand secure development—code that is exposed to attack.”
Custom Business Logic(WARs, EJBs, JARs)
3rd Party Libraries
Servers, Frameworks(JEE)
Java APIs(JRE)
Most application code (> 80%) comes from outside the enterprise with known and unknown flaws
Custom Business Logic(WARs, EJBs, JARs)
3rd Party Libraries
Servers, Frameworks(JEE)
Java APIs(JRE)
Waratek RASP protects all layers of the application stack
• Waratek provides Runtime Application Self-Protection technology for Java applications built on top of the Oracle JVM
• A Java Container is a protected in-JVM container with built in application security and quarantine controls
WaratekRASP
© Copyright 2016
Java RASP Containers
• The Java container separates apart the vulnerable JRE code (where the insecure Java APIs reside) from the low-level JVM (the JIT compiler and GC)
• Application security controls inserted between the Java Container and the JVM protect and quarantine the Java application
Java RASP Container
Application Security Controls
Oracle JVM
Vulnerable JRE
© Copyright 2016
Java RASP Containers
• Application vulnerabilities: SQLi, XSS, CSRF, code injection etc.
• Legacy applications and runtimes
• Hardening
• No code changes
• No third-party APIs
• No appliances
• Simple, minimal configuration
• Accurate
• Fast
Implementation & remediation time:
< 30 minutes per App Instance on average
Java RASP Container
Application Security Controls
Oracle JVM
Vulnerable JRE
© Copyright 2016
Legacy Java
• Most enterprises have large numbers of applications running on older, legacy Java versions.
• Updating these apps to the current Java edition is often risky, time consuming, and expensive.
19%!
1%!
5%!
13%!
46%!
10%!
6%!
Java versions detected through enterprise endpoints
Other
Java 3.x
Java 4.x
Java 5.x
Java SE 6
Java SE 7
Java SE 8
© Copyright 2016
Java RASP Containers
• Java RASP Containers provide automatic protection for legacy Java applications:
• No changes to the application or vulnerable JRE:
• The application does not see an API change.
• Deprecated calls still function.
• Serialized objects still function.
• The application is still using the API it was first tested against.
• Overnight compliance for legacy applications:
• Administration is on an up-to-date SUPPORTED JVM (because the JRE and JVM can now be managed separately).
• The surrounding infrastructure can be updated.
Java SE 5 Application
Java SE 5 Container
Java SE 7/8 JVM
Network
Java SE 5 Exploit
App Sec Controls
Java SE 5 JRE
© Copyright 2016
Zero false positive SQL Injection
• Java Containers perform runtime data-tainting (“taint-tracking”) without any changes to application code.
• Data-tainting, in real-time, marks as “untrusted” all user-input data to a Java app (like HTTP request parameters).
• When “untrusted” user-input data is passed to an SQL query, tainted syntactic analysis is performed to accurately and reliably detect SQL injection.
• When SQL injection is detected, the Java Container gracefully rejects the unsafe SQL query and the application continues un-exploited.
• Zero code changes
• Zero regex
• Zero tuning
• Zero false positives
• Zero human intervention
Waratek is the industry’s first non-heuristic code injection
detection technology!
© Copyright 2016
SQL Injection rule
# Example file rules!file:read:/etc/:deny:warn!file:read:/etc/passwd:allow:warn!file:exec:*:deny:warn!!# Example network rules!network:connect:www.google.com::deny:warn network:accept:localhost::deny:warn!!# SQL injection mitigation for Oracle PL/SQL sqli:database:oracle:deny:warn!!!
Zero Regex!
Zero tuning!
Zero false positives!
Zero human intervention!
© Copyright 2016
How We’re Different• Waratek is the only RASP product based on virtualization technology and the
only technology that can protect legacy Java workloads to achieve equivalent protection to critical patch updates
• Virtualization allows us to create a “secure container” that encapsulates ALL layers of the Java application stack
• Only RASP solution deployed at scale rather than on individual apps
• Competitors use “filter” or “instrumentation” approaches that have significant deficiencies:
• Prone to the same lack of accuracy as Web Application Firewalls
• Impacts performance
• Offers some protection at the business logic level ONLY
• Filters/agents are potentially susceptible to direct exploitation
© Copyright 2016
Waratek RASP Differentiation
• No code changes, no third party APIs, no appliances
• Entirely in process
• Visibility of entire application stack including JRE APIs, components, app servers
• Non-heuristic remediation for SQLi i.e. no regex tuning, no signatures required
• JRE and JVM lockdown
• Legacy Java hardening
• Virtual patching with no down time or interruption of service
• Re-host old/unsupported JREs on up-to-date JVMs transparently
• No user discernable performance impact
© Copyright 2016
Protection Without Compromise
Benefits Current Approach Waratek
Defends Against Attacks in Business Logic ✔ ✔
Defends Against Attacks in Full Software Stack ✔
Protects Vulnerable Legacy Java Applications without Code Changes ✔
Zero False Positives ✔
No Application Code Changes Required ✔
No Prior Knowledge of Application Behavior Required ✔
No Additional Servers, Sensors or Other Hardware Devices ✔
Detailed Application Level Forensic Data ✔
No Capital Expenditure Required ✔
© Copyright 2016
Waratek History Developed a new category of application security based on containerization – Runtime Application Self-Protection (RASP)
Founded as a technology research organization in 2002; Commercial security product released in 2014
60 global patents; 39 in the US
Dublin & Atlanta Headquarters
30 employees globally