Run-Time Application Security Protection and Monitoring

For the longest time, application security implied scanning. That is, the field was comprised of code and application tools for static analysis security testing (SAST) and dynamic analysis security testing (DAST). Certainly, the benefits of scanning an application for evidence of vulnerabilities are obvious, and many CISO teams continue to include SAST and DAST in their arsenal. But more recently, the security advantages have become clearer for embedding runtime controls into the operating environment of an application. So-called Runtime Application Self-Protection (RASP) controls are now emerging as one of the leading investment areas in enterprise cyber security. One company that is leading the fight to improve application security via a world-class RASP platform is Prevoty. I asked my good friend and colleague Julien Bellanger, co-founder of the company, to share his thoughts on this important area.

EA: Julien, what are the benefits of RASP for enterprise applications?

JB: Run-time application security gives enterprise users instant visibility to their production application security posture, not to mention supporting the automatic remediation of existing application vulnerabilities. RASP can instantly protect legacy software – that is, those with few if any active developers. It also allows organizations to release new applications faster into production, thus speeding up the secure development lifecycle. Because RASP can alert on which portion of application code is being exploited in production, versus potential vulnerabilities in development, staging, or test environments, development teams are freed up to focus on fixing what matters. It makes remediation efforts more targeted and meaningful, saving time and money all around.

EA: If Prevoty’s RASP solution runs on production application servers, doesn’t that impact the performance and stability of applications?

JB: This question of performance and stability should be one of, if not, the primary considerations CISO teams consider when looking at Prevoty, or any other RASP solution. After all, the last thing any security program can afford is a tool that negatively impacts application performance or stability in production. Through its unique LANGSEC technology, both Prevoty’s monitoring and protection capabilities are available with no noticeable impact to the performance of the applications to which Prevoty is attached. We urge readers to explore LANGSEC further to understand how this is feasible. Information is available on our Website.

EA: Do you see compliance auditors and regulatory officials becoming more in tune with the benefits of runtime application controls?

JB: Most of our early customers are large financial and commerce enterprises with Web-facing presences and are consequently subject to compliance pressure. Their auditors view RASP as a compensating control for application security risks. We continuously hear regulatory officials asking enterprises, including our customers, to develop and implement actual controls instead of just checking the compliance box. At Prevoty, we’ve created a product that can integrate with existing vulnerability solutions like dynamic scanners. We’ve also built integrations with SIEMs that allow auditors and risk management teams to review real-time attack data.

EA: How hard is it for enterprise CISO teams to deploy runtime security? Do they need to fold security libraries into the application code? Or do they run some sort of scaffolding around the application?

JB: Deployment of RASP in production should be completed in hours, rather than days, weeks or months. There are two models for integrating a RASP solution in large-scale organizations: First, SSDLC code insertion can be performed via SDKs and second, the code can be introduced through plugin attachment via agents. With the former, Prevoty provides support for a wide array of languages such as C#, Go, Java, JavaScript, PHP, Python, Ruby, and Rust, that enable developers to bring security controls directly into their business logic. With the latter, Prevoty empowers Ops and DevOps teams to automatically add security to new and existing applications, leveraging continuous integration and deployment processes for Django, Drupal, Express (node.js), Java, .NET, Rails, etc. Ultimately, we are building an application security product that is addressing complex and large-scale environments.

EA: A big problem in application security has been the weaknesses inherent in the runtime environment such as third party software and components. Do application-level runtime controls help protect against these weaknesses, or do they undermine the effectiveness of RASP?

JB: If we follow a conservative threat model, we must assume that all third-party software and components, including open source libraries, are vulnerable by default. Furthermore, software that is secure today could become insecure and legacy in the future. By living in the application runtime, such as the Java Virtual Machine (JVM) or Microsoft’s Common Language Runtime (CLR), a RASP solution can mitigate against attacks that target vulnerable third-party libraries. For example, our RASP product already mitigated the well-documented Java deserialization attacks affecting many organizations in previous years.

EA: How well do RASP controls extend to virtual environments? Would the run time controls sit as part of a micro-segment?

JB: Since Prevoty’s RASP is attached to an application, it travels wherever the application is deployed. This includes local environments, physical staging servers, and ephemeral cloud instances. We also have many customers today that are moving their monolithic application deployments to micro-services. With this transition, they are using new containerization technologies like Docker. Today, Prevoty supports applications that run in virtual machines as well as containers.

EA: With SAST, DAST and other existing technologies, CISOs are assured of identifying a broad set of potential application security issues. How does Prevoty’s coverage compare?

JB: Recent reports from Verizon and Gartner conclude that over 90% of today’s application breaches still exploit SQL injection, cross-site scripting, and cross-site request forgery. So, while Prevoty focuses time and attention on these attacks, we are also aggressively improving our coverage model. Our software covers eight of the OWASP Top 10 categories, in addition to covering numerous other attack vectors. All of this is included while our engineers balance the top requirement of ensuring no negative impact on the application’s performance.

EA: Where does Prevoty fit within existing enterprise application security programs?

JB: For less mature programs, Prevoty’s runtime application security monitoring and protection capabilities can serve as a primary control, providing both detective and preventative measures. For the most mature programs, Prevoty can act as the last line of defense, and can be viewed as additive to a mature program’s pen testing, SAST, DAST, and WAF capabilities. There are many gaps Prevoty can fill for those application security programs between the two ends of the maturity model.

LikeRun-Time Application Security Protection and Monitoring

Comment

ShareShare Run-Time Application Security Protection and Monitoring