Dr. Edward G. Amoroso, former CISO
of AT&T and now founding CEO of TAG Cyber, is dedicated to advancing the practice of information security and make best-in-class knowledge available to the community of security leaders. In this excerpt from his new three-part report, he interviews Julien Bellanger, CEO and Co-Founder of Prevoty about runtime technologies and the future of application security.
Runtime Application Security Monitoring & Protection:
Extending Advanced Application Security Controls to the Runtime Operating Environment
By Dr. Edward G. Amoroso
For the longest time, application security implied code scanning, also known as static analysis security testing (SAST), and application scanning, also known as dynamic analysis security testing (DAST). Certainly, the benefits of scanning an application for evidence of vulnerabilities are obvious, and many CISO teams include SAST and DAST in their arsenal. But more recently, the security advantages have become much clearer about embedding runtime controls into the operating environment of an application. So-called Runtime Application Self-Protection (RASP) controls are now emerging as one of the investment areas in enterprise cybersecurity.
EA: What are the benefits of RASP for enterprise applications?
JB: Runtime application security, as we define and employ it at Prevoty, gives enterprise users instant visibility into their production application security posture, not to mention supporting the automatic remediation of existing application vulnerabilities. RASP is unparalleled in its ability to instantly protect your legacy software – that is, those with few if any active developers, while also letting organizations release active applications faster into production, effectively speeding up the secure development lifecycle. Because it can alert on which portion of application code is actually being exploited in production, versus potential vulnerabilities in development, staging, or test environments, development teams can focus on fixing what matters. It makes remediation efforts more targeted and meaningful, saving time and money all around.
EA: If Prevoty’s RASP solution runs on production application servers, doesn’t that impact the performance and stability of applications?
JB: This question of performance and stability should be one of, if not, the primary considerations CISO teams take into account when looking at Prevoty, or any other RASP solution. After all, the last thing any security program can afford is a tool that negatively impacts applications’ performance or stability in production. Through its unique LANGSEC technology, both Prevoty’s monitoring and protection capabilities are available with no noticeable impact to the performance of the applications to which Prevoty is attached. We urge readers to explore LANGSEC further with us and understand how this is feasible.
EA: Do you see compliance auditors and regulatory officials becoming more in tune with the benefits of runtime application controls?
JB: Most of our early customers are large financial and commerce enterprises with Web-facing presences and are consequently subject to lots of compliance pressure. Their auditors view RASP as a compensating control for application security risks. We continuously hear regulatory officials asking enterprises, including our customers, to develop and implement actual controls instead of just checking the compliance box. At Prevoty, we’ve created a product that can integrate with existing vulnerability solutions like dynamic scanners. We’ve also built integrations with SIEMs that allow auditors and risk management teams to review real-time attack data.
EA: How hard is it for enterprise CISO teams to deploy runtime security? Do they need to fold security libraries into the application code? Or do they run some sort of scaffolding around the application?
EA: A big problem in application security has been the weaknesses inherent in the runtime environment such as third party software and components. Do application-level runtime controls help protect against these weaknesses, or do they undermine the effectiveness of RASP?
JB: If we follow a conservative threat model, we must assume that all third-party software and components, including open source libraries, are vulnerable by default. Furthermore, software that is secure today will become insecure and legacy in the future. By living in the application runtime, such as the Java Virtual Machine (JVM) or Microsoft’s Common Language Runtime (CLR), a RASP solution can mitigate against attacks that target vulnerable third-party libraries. For example, our RASP product already mitigated the well-documented Java deserialization attacks affecting many organizations in 2015. For our customers, we were able to save them time, while also reducing exposure and risk.
EA: How well do RASP controls extend to virtual environments? Would the run time controls sit as part of a micro-segment?
JB: Since Prevoty’s RASP is attached to an application, it travels wherever the application is deployed: from a local environment, to a physical staging server, to an ephemeral cloud instance. We have many customers today that are moving their monolithic application deployments to micro-services. With this transition, they are using new containerization technologies, like Docker. Today, Prevoty supports applications that run in virtual machines as well as containers.
EA: With SAST, DAST and other existing technologies, CISOs are assured of identifying a broad set of potential application security issues. How does Prevoty’s coverage compare?
JB: Recent reports from Verizon and Gartner conclude that over 90% of today’s application breaches still exploit SQL injection, cross-site scripting, and cross-site request forgery. So while Prevoty obviously focuses time and attention on these attacks, we are also aggressively improving our coverage model. With our upcoming release, scheduled for GA late summer 2016, we will cover 8 of the OWASP Top 10 categories, in addition to expanded coverage for numerous other attack vectors. All of this is included while our engineers balance the top requirement of ensuring no negative impact on the application’s performance.
EA: Where does Prevoty fit within existing enterprise application security programs?
JB: For less mature programs, Prevoty’s runtime application security monitoring and protection capabilities can serve as a primary control, providing both detective and preventative measures. For the most mature programs, Prevoty can act as the last line of defense, and can be viewed as additive to a mature program’s pen testing, SAST, DAST, WAF, etc. capabilities. There are many gaps Prevoty can fill for those app sec programs between the two ends of the maturity model.