Shielding Apps

During a global pandemic, it’s hard not to think of shields. The one I wear to the grocery store is made of cloth and weighs an ounce or so. Soldiers in the early days of Rome were not so lucky. Their convex-surfaced scutum (scudo is how you say shield in Italian) were as heavy as a bowling ball, and required discipline and training to use properly. I’d look silly with one at Shop-Rite. (Luckily, Caesar did not politicize the use of scutum.)

As one might expect, shielding is a good metaphor for much of what we do in cyber security. Any time one device serves as a protective barrier for some other valued asset, then we can say that shielding is being done. It’s fun to imagine that if Bill Cheswick, Marcus Ranum, Nir Zuk, and other pioneers had been more avid readers of Roman history, then perhaps Palo Alto Networks would be marketing next-generation shields today.

So, when my longtime friend Jim Carrigan (formerly with Verizon and also AT&T) called to tell me that he’d recently joined a New Zealand outfit that specialized in application shields, I was interested to hear more. A Zoom session was set-up and I soon found myself chatting with Andy Prow, co-founder and CEO of RedShield. The approach certainly appeared both interesting and sound, so let me try to summarize what I learned.

“Our goal has been to help enterprise customers shield their web application and API vulnerabilities without having to go in and make changes to the code,” explained Prow. “This requires that we integrate security protections that stop exploits from hackers without impeding normal transactions from authorized customers. This is done through a full suite of protective controls and actions.”

The RedShield solution combines several related strategies to achieve strong application security. First, customers are guided through a process to fix as many known issues as possible by removing application vulnerabilities from their list. “Our goal is to correct application behavior, but this works best if we help first remove the hundreds of known vulnerabilities from an organizations official Risk Register,” Prow explained.

The second step involves integration of shields, which are implemented as software objects, inserted in front of an application. When asked whether this was essentially a web application firewall (WAF), Prow introduced a clear distinction: “Certainly, we can be used where a managed WAF is required,” he said, “but our process for writing specific customer and off-the-shelf shields is unique.

“Using our fat-proxy architecture, we implement shields in code and that let us target vulnerability remediation with zero false positives, even with complex enterprise apps, third party apps and APIs, and legacy systems. It is this architecture and our shields as code that lets us tackle business logic flaws, authentication issues, and both role-based and data authorization flaws. Our shields also modernize an app's security posture calling third party APIs, such as to check for stolen passwords or use of fraudulent credit cards.”

The third step involves 24/7 management and monitoring of the shielded web application environment. This RedShield service is designed to provide and to support the important threat hunting activity, which is ultimately focused on stopping either human or bot-oriented threats. RedShield enterprise customers are provided visibility into the managed shielding through a custom dashboard.

I asked Carrigan how he intended to address the marketplace as new head of sales for RedShield, and he explained an interesting new offer: “We are willing to include a strong warranty with our solution that provides customers with assurance that this is really going to work,” he explained. “We decided that a warranty would underscore the kind of high assurance that we know that this platform brings.”

From the perspective of our TAG Cyber analysis, RedShield will obviously be considered by buyers in the context of next-generation WAF solutions – and the RedShield team understands this. We suggested during our meeting that RedShield provide as much technical insight into the development of shields as possible so that enterprise teams doing WAF evaluation can best understand the differences introduced by shields.

We liked RedShield’s concept of combining three steps – namely, establishing a cleared base of existing vulnerabilities, instrumenting shields into the application environment, and then introducing a managed service. Enterprise teams who follow this strict process will almost certainly see reduced false positive alarm rates, and will develop a more robust security environment for their web applications and APIs.

The company, which was founded in New Zealand, looks to have an experienced management team, including the addition of Carrigan. They’ve developed an impressive assortment of partners, including Deloitte, and they work seamlessly across multi-cloud infrastructure, including AWS and Google Cloud. So they look well-positioned to expand their market, especially in the United States.

If you run web applications or APIs and would like to reduce your threat surface, then include RedShield in your review process. Ask for an overview of the shielding process as well as a look at the dashboard. If you’re like me, then you’ll find the discussion useful – and perhaps you might decide this solution is for you. As always, please be sure to share with us your own experiences as you learn more about RedShield.

Stay safe and healthy.