Immunio’s App-Security Tool for Secure Development
Application security startup Immunio has announced general availability of its application-security-as-a-service solution, designed to detect and thwart attacks in real time.
Gartner originally dubbed this market segment Runtime Application Self-Protection (RASP).
In a report for Aberdeen Group, analyst Derek Brink calls RASP an emerging category that enterprises should consider as their application portfolios grow ever more complex and unwieldy.
“Today’s security model has been to find bugs quickly and fix bugs quickly. And neither of these things really does happen quickly,” says Zaid Al Hamami, co-founder and CEO at Immunio.
Finding bugs takes a long time and most organizations have a backlog for fixing bugs.
The Immunio library provides the ability to build security into the application itself with no lock-in and no code integration. It offers active protection, real-time visibility into attempted attacks and easy installation, according to the company.
“It doesn’t require any security experts to deploy it or use it – any developer or DevOps person on the team can deploy and manage it moving forward,” he said.
“Actual protection takes place inside your application at runtime, without anything leaving your site,” he said. The only information shipped to the cloud is metadata for a dashboard.
After about eight months in beta, Al Hamami pointed to a couple of lessons:
“We learned that virtually every application on the Internet is under attack. If you’re a security property, you’re under attack every single day. If you can’t answer those questions – Am I under attack? By whom? How sophisticated are they? – then there’s a big blind spot in how you’re managing your web applications,” he said.
While network- and server-monitoring tools are relatively mature, monitoring for the application layer lacks that same level of maturity, he says.
Another problem is that organizations may know about vulnerabilities in their apps, but not be able to fix them.
“One [customer] had about seven apps on the Web serving traffic that were running old, known vulnerable versions of a framework, but doing to the work to upgrade those frameworks takes months. Prior to Immunio, their options were to accept the risk and not do anything about it or spend the money to do the work required, which will take months and derail work on our main business objective. Immunio’s value there was to remove the risk immediately – not necessarily by fixing the bugs, but eliminating the exploitation possibility from those apps,” he said.
Immunio works by spreading sensors inside the application that alert when the app is being targeted. If your code has an SQL injection vulnerability, for instance, Immunio learns what the SQL statement should look like normally, then can detect anomalous requests that pose signs of SQL injection. The SQL query will be prevented from going into your database, and Immunio will start reporting on this attacker’s activities.
It can detect SQL injection, cross-site scripting, remote command execution attacks as well others, according to the company.
So far, Immunio supports Ruby on Rails, Python and Java, and plans to add PHP, .NET and Node.js later on, Al Hamami said. It’s offering the service as a free trial.
Based in Montreal, Immunio was founded in 2013 and has raised $2.7 million in funding. It emerged from stealth in April. Venture Beat recently named it among 14 of the most promising seed-stage enterprise startups.
However, RASP solutions can come with unintended consequences, Mark Carrizosa, vice president of application security vendor Soha Systems, says in a piece at Channel World.
Among them, he says, developers can let security coding best practices slide while trying to meet crucial deadlines, thinking the RASP technology will catch problems; stopping attacks could lead to downtime that could have a serious impact to SLAs and result in lost revenue; and the technology could add to an application’s latency.
Immunio’s RASP offering is similar in concept to that of Prevoty and HP’s Application Defender, but is focused only on Ruby on Rails and Python applications, points out Stephen de Vries, founder and CTO of Continuum Security, a company based in Spain that offers its own application security technology.
“The ease of use and installation will be attractive selling points compared to more traditional web application firewalls, which are usually external devices and can be complex to maintain, especially [for] applications that undergo frequent code changes,” he told The New Stack.
Immunio’s product would be an attractive option for development teams that do not already have a mature approach to secure development as it can help to prevent some classes of vulnerability from being exploited, he said.
“As with all RASP products, it is effective for only about five out of the 10 classes of vulnerabilities listed in the current OWASP (Open Web Application Security Project) Top Ten list, so it should definitely not be regarded as a panacea to all security problems,” he said.
As with other RASP technologies, it’s designed to be run in production, so one of the unanswered questions is how much of a performance impact the embedded sensors have, he said.
“But as a complementary tool for time-strapped development teams, it could prove quite effective against injection and cross-site scripting vulnerabilities, which still plague many applications today.”
Feature image: “Methicillin-Resistant Staphylococcus aureus (MRSA) Bacteria” by NIAID is licensed under CC BY 2.0.