Prognosticators say that in 2017, enterprises will continue to shift their security focus from endpoint devices to users and information across all applications and services.
In the increasingly cloud-based, ephemeral microservices architectures, fortress-like perimeter-based strategies no longer work, Redpoint Ventures’ Lenny Pruss has argued previously here. Today’s security paradigm must be application-centric, developer-driven and built from the inside-out, he says.
Runtime application self-protection (RASP), an approach that embeds security protections within the application itself, is one such approach to thwarting attacks and addressing organizations’ difficulty in quickly mitigating vulnerabilities.
“In the past, application security involved two things: testing, asking developers to test their code pre- and post-production to find vulnerabilities. Today, with the sheer number of developers and code being pushed through faster release processes and Agile development, it becomes almost impossible to test all the pieces of code going into production,” explains Julien Bellanger, co-founder and CEO at Los Angeles-based RASP vendor Prevoty.
The second approach to security involved web application firewalls, which are essentially network appliances looking at traffic.
“These are essentially machines looking at the HTTP requests but have little context about what’s happening within the application. They’re very difficult to maintain, and with the rise of microservices and cloud, it’s very difficult to maintain a web application firewall in front of everything,” he said.
RASP provides a comprehensive view of an application’s logic flow, data flow, and configuration. RASP can be used to block unauthorized attempts to execute shell commands and restrict access to compute resources such as file systems and network sockets.
Prevoty embeds an agent into the application that will analyze everything that’s happening within the application and goes with the application wherever it goes, whether to testing, pre-production or various production environments.
It protects against OWASP Top 10 attacks such as cross-site scripting, SQL injection, cross-site request forgery and more — specifically against attacks to the applications and underlying databases. OWASP is the Open Web Application Security Project, which seeks to provide information relevant to Web application security.
Focused on Execution
Rather than relying on behavioral analysis, signatures or patterns, Prevoty uses LANGSEC, a language-based process of understanding how data such as content payloads, database queries, operating system commands and more will execute in an environment.
It provides more sophisticated visibility and intelligence, according to CTO Kunal Anand.
“If we take a database query, we don’t just tell you there’s something wrong with a database query, we tell you exactly what’s wrong with it. We tell you it’s tautology — something like a 1 equals 1 — or a contradiction inside a database query,” he explained.
“Most of our competitors are coming from the vulnerability analysis space. They’ve been focused on trying to scan for bad code and now they’re trying to jump on the runtime bandwagon. Unfortunately, those solutions, whether they’re SAST, DAST, or even IAST are very heavy-handed and don’t scale in a production application. They’re trying to scan every single line of code, and you can’t do that inside a production application. It slows the app down significantly,” Anand said.
Prevoty’s performance overhead on an application is under a millisecond of processing time, meaning most clients don’t even notice it’s running, he said. Beyond the in-app engine, Prevoty also can be deployed as a virtual appliance in the data center or accessed from the Prevoty cloud or a private cloud, where typical round trips are 50 to 60 milliseconds.
“We have written Chef recipes or Ansible playbooks or Puppet scripts that will allow Prevoty to be attached to an application without the developer having to do anything,” Anand said.
The software doesn’t require any server integration. There’s no telemetry that’s going to a mothership or that requires active communication to a network service. It lives in a passive monitoring mode or active protect mode; customers can toggle between the two. If protection mode, a suspicious payload is neutralized, and secured payloads are instantly sent back to the application.
“The intelligence we see inside an application is typically something organizations haven’t seen before. By residing within the application, you’re at the connective tissue between the network requests and the database and operating system calls,” he said.
“When we see something malicious, we can tie all the HTTP information, like the IP address, cookies, HTTP headers, plus all the application metadata, including the file name, where that malicious code executed, all the session information like who was logged into the application. We see the database query before it gets shipped off to a database engine and we see exactly what gets returned back from the other side.
“That means we can put all that information into one payload, then we push all that information into log files or over Syslog. We have organizations that push us into data stores like Splunk, IBM QRadar, HP ArcSight, the big security tools and some who are a little more advanced will push us into HDFS or a NoSQL store where they’ll do rollups. We have one customer that pushes all the data into an [Amazon Web Services’] S3 bucket, then there’s a Kinesis job to synthesize the data,” he said.
To help users make sense of the log data, all of which is searchable, Prevoty supplies highlights, trends, and the ability to set up alerts and generate reports for managers when an issue arises.
Prevoty supports the programming languages C, Java, PHP, Python, Node, Ruby, .NET, ASP. NET, the Django framework, HTML5 as well as databases SQL Server, MySQL, Oracle DB, IBM DB2. The company is turning its attention to NoSQL databases as well, Anand said.
Feature image via Pixabay