Why cybercriminals love banks that use web-facing applications
Current approaches to application security are failing to provide adequate protection, says Waratek CEO Brian Maccaba.
JAXenter: What risks are banks creating by relying heavily on web-facing applications?
Brian Maccaba: Web facing applications are a popular target for cybercriminals. They contain valuable information and are used to access accounts – and they are very difficult to defend. Large banks can have hundreds of these Java-based applications, and many are built using third party code that is difficult, if not impossible, to patch against security vulnerabilities.
In addition, many of these applications contain older versions of Java that is time consuming and expensive to update. Plus, many of these applications were written to work on a specific version – and updating can literally break the application – so they remain unpatched.
Cybercriminals know this, and they exploit the vulnerabilities introduced through third party and unpatched code, leaving the bank’s data centre, applications, sensitive data and accounts at risk from attacks like SQL Injection, zero-day, and unpatched vulnerability exploits.
And where is the problem? Can static code analysis and Web Application Firewalls not handle the threats?
Third party software libraries used in application development represent one of biggest, and possibly most overlooked, security threats. These components speed development and help developers avoid “re-inventing the wheel”. According to industry estimates, third party code makes up between 30 percent and 90 percent of typical applications. This code introduces many thousands of lines of software not authored internally, nor vetted properly for security flaws.
The cost of mitigation and severe operational impacts
Amplifying the problem, countless web-facing applications are still running older, legacy versions of code. Since most core enterprise applications were written for execution on a specific version of Java, and that’s where they remain, with both known and unknown security holes.
The two primary reasons that legacy Java security risks persist are the cost of mitigation and severe operational impacts. Mitigating legacy Java vulnerabilities typically requires updating the Java runtime virtual machine which hosts the application. This process is costly since it requires extensive application testing and re-qualification. Meanwhile, if application modifications are required, the price tag increases significantly. Often, this type of financial investment is hard to justify based on ambiguous estimates of the security risk and potential exploitability associated with a vulnerability.
Current approaches to application protection including static code analysis, application best practices are falling short and they are not handling the threats. Firewalls, IPSs and Web application firewalls (WAFs) inspect network traffic, content, and/or user sessions to and from applications, but these technologies are blind as to how the information is processed within applications and databases. Consequently, they lack the necessary accuracy to identify and terminate malicious activity.
We hear Waratek has launched its RASP technology to help with precisely this problem. Can you tell us a bit about how it works?
Waratek has developed a disruptive new approach to web security that protects Java applications and sensitive data from attacks like SQL Injection, zero-day, and unpatched vulnerability exploits at runtime, without code changes or hardware. Essentially, Waratek enables applications to protect themselves from the inside out. This is an approach that analyst firm Gartner calls Runtime Application Self Protection or RASP. Waratek monitors, detects and blocks threats from within the Java Virtual Machine without any user discernible performance degradation.
To protect against malicious exploits, abnormal file manipulation or unexpected network connections, Waratek AppSecurity for Java uses a small set of rules to quarantine illegal operations inside the application. It also uses its unique Taint Detection Engine (TDE) to identify input injection attacks (such as SQL injection) that attempt to modify the logic of the outbound action.
Unlike Web Application Firewalls (WAFs) and other technologies that rely on heuristics and signature-based detection, Waratek performs transparent taint detection and validation of each character in a SQL query to identify injection attacks with 100 percent accuracy, and without generating false positives or requiring application source-code changes. This unique approach provides broad coverage against Zero Day vulnerabilities since it traps the application behaviour, independent of the threat vector, without having to wait for a patch to be coded, tested and implemented. A simple black list rule can be implemented to provide virtual patch protection against new vulnerabilities, without the need to stop the application or make any code changes. Waratek uses industry-standard, Oracle Licensed Technology and can be deployed in monitoring or blocking mode.
Embedding security in the JVM
Waratek has also developed a product that protects Java applications deployed in cloud environments called Waratek Locker. It literally enables organisations to bring their own security (BYOS) to the cloud. Currently, Waratek Locker supports Java applications deployed on Microsoft Azure. This Microsoft Azure Certified solution provides transparent protection against business logic and network layer threats regardless of where an application is hosted and without the need for any code changes. Waratek will soon announce additional BYOS offerings for Amazon Web Services, Docker, and others. Stay tuned.
By embedding security in the Java Virtual Machine (JVM) Layer, where all Java applications execute, Waratek is strategically positioned to detect and block attacks and also audit activity for forensics and compliance. Waratek allows enterprises, PaaS and SaaS cloud providers to protect business critical applications without modifying the application itself or deploying and managing any hardware. Entire categories of security weaknesses, logic attacks, and code vulnerabilities can be mitigated with a small number of rules, which can be applied in real-time and without stopping and restarting the application. This reduces security administration and management burdens. Waratek supports fine grained monitoring and control of all key application behaviours, including file, database and network access. This information can be passed to developers for coding or testing, or to security tools such as SIEM solutions, thereby increasing the value of existing security infrastructure investments.
Does this extra security come with any cost to latency or the system’s speed?
Since Waratek executes in the JVM, there is no user discernible impact on application response times.
Can you give us an example of how it’s being used?
Yes, a leading global bank had inventoried hundreds of internal applications, and found a multitude of Java versions for which quarterly releases of security vulnerabilities is commonplace. A traditional upgrade or patching approach, was unfeasible. Even if it were, it would have imposed a huge cost and operational burden on the business, while impacting the bank’s agility and customer responsiveness. A different approach was needed.
That approach was RASP provided by Waratek AppSecurity for Java. Waratek protects their applications and sensitive data from attacks and unpatched vulnerability exploits at runtime, without code changes, hardware and without any user discernible performance degradation.
The Bank has integrated Waratek into its application hosting platform. This not only resolves the Java patching issue, but also remediates security issues such as vulnerability to SQL Injection attacks, in a transparent manner. The net result is a dramatic reduction and avoidance of security patching costs, while improving security and preserving the agility of the organisation.