DZone
Performance Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Performance Zone > Changing the AppSec Paradigm

Changing the AppSec Paradigm

New, best-in-class technologies such as Runtime Application Self-Protection (RASP) can help organizations overcome these issues. With RASP, we can fundamentally change the AppSec paradigm.

Goran Begic user avatar by
Goran Begic
·
Nov. 04, 16 · Performance Zone · Opinion
Like (3)
Save
Tweet
4.01K Views

Join the DZone community and get the full member experience.

Join For Free

Traditional approaches to application security are outdated and inefficient. With many organizations suffering from a web application security skills gap, the situation will likely get worse before it gets better. Increasingly, those who write code lack the requisite knowledge to keep it secure over time. This means that apps are at risk of being exploited due to flaws in their design or deployment.

New, best-in-class technologies such as Runtime Application Self-Protection (RASP) can help organizations overcome these issues. With RASP, we can fundamentally change the AppSec paradigm.

What makes RASP so different? It provides significantly broader security protections for web apps than legacy solutions such as Web Application Firewalls (WAFs). It’s simpler and less expensive to deploy and maintain, and it drastically reduces the risk of exploitation.

Minimizing Exploitation Is the Future of AppSec

Today’s AppSec solutions are focused almost entirely on minimizing risk by minimizing exposure. These solutions aim to identify vulnerabilities all through the code in applications so that organizations can (eventually) remediate those vulnerabilities. But what happens in the meantime? The delay between finding and fixing such flaws represents a major opening for attackers.

At IMMUNIO, we believe that a better and more effective approach to this problem is to make sure that code vulnerabilities (which are inevitable) can’t be exploited by attackers to harm your company’s systems, data, or customers. 

Outdated and Insecure Third Party Components Are Also Your Application

Modern web applications are often built with frameworks that define large portions of application functionality. Such frameworks are often much more resilient to exploitation than their older counterparts, or custom code, but they are not immune to it. Also, new frameworks age fast and once their weaknesses are exposed all applications using the compromised version of the framework become that much more insecure. Here are some examples of severe vulnerabilities reported in major Python, Ruby and Node.js frameworks:

  • Node.js Advisories
  • Ruby on Rails Security Google Group
  • RubySec Advisories
  • Django Security Archive

Code That Trusts User Input Can Open Doors to Exploitation

When hackers identify code that trusts user input, they can develop inputs that can exploit inherent weaknesses in the underlying technology. Manipulation of application inputs dominate lists of critical vulnerabilities like OWASP Top 10.

The traditional AppSec approach is to focus on finding vulnerabilities through pen testing, source code review and static analysis, and then remediating those vulnerabilities.

These practices are essential for improving security of new applications, but they often rely on 
human expertise and resources required for proper remediation in the code. Furthermore, it is often very hard to prioritize issues without fully understanding the impact of the deployment configuration and other protective measures on exploitability of these vulnerabilities.

As a result, this approach, while essential, can be painstakingly slow, taking months, or years before it has significant impact on risk reduction.

Blocking Exploitation With RASP

Preventing vulnerabilities from being exploited in the first place is the main focus of RASP solutions. The vulnerability isn’t realized until an exploit is leveraged by an attacker. Preventing the harm that results from vulnerability exploitation is simpler than launching a difficult--and likely fruitless--search for every possible vulnerability in application code.

Application security Web application Vulnerability

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Python 101: Equality vs. Identity
  • What Are the Best Performance Tuning Strategies for Your SQL Server Indexes?
  • Artificial Intelligence (AI) And Its Assistance in Medical Diagnosis
  • How to Classify NSFW (Not Safe for Work) Imagery with AI Content Moderation using Java

Comments

Performance Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo