Changing the AppSec Paradigm

Traditional approaches to application security are outdated and inefficient. With many organizations suffering from a web application security skills gap, the situation will likely get worse before it gets better. Increasingly, those who write code lack the requisite knowledge to keep it secure over time. This means that apps are at risk of being exploited due to flaws in their design or deployment.

New, best-in-class technologies such as Runtime Application Self-Protection (RASP) can help organizations overcome these issues. With RASP, we can fundamentally change the AppSec paradigm.

What makes RASP so different? It provides significantly broader security protections for web apps than legacy solutions such as Web Application Firewalls (WAFs). It’s simpler and less expensive to deploy and maintain, and it drastically reduces the risk of exploitation.

Minimizing Exploitation Is the Future of AppSec

Today’s AppSec solutions are focused almost entirely on minimizing risk by minimizing exposure. These solutions aim to identify vulnerabilities all through the code in applications so that organizations can (eventually) remediate those vulnerabilities. But what happens in the meantime? The delay between finding and fixing such flaws represents a major opening for attackers.

At IMMUNIO, we believe that a better and more effective approach to this problem is to make sure that code vulnerabilities (which are inevitable) can’t be exploited by attackers to harm your company’s systems, data, or customers. 

Outdated and Insecure Third Party Components Are Also Your Application

Modern web applications are often built with frameworks that define large portions of application functionality. Such frameworks are often much more resilient to exploitation than their older counterparts, or custom code, but they are not immune to it. Also, new frameworks age fast and once their weaknesses are exposed all applications using the compromised version of the framework become that much more insecure. Here are some examples of severe vulnerabilities reported in major Python, Ruby and Node.js frameworks:

• Node.js Advisories
• Ruby on Rails Security Google Group
• RubySec Advisories
• Django Security Archive

Code That Trusts User Input Can Open Doors to Exploitation

When hackers identify code that trusts user input, they can develop inputs that can exploit inherent weaknesses in the underlying technology. Manipulation of application inputs dominate lists of critical vulnerabilities like OWASP Top 10.

The traditional AppSec approach is to focus on finding vulnerabilities through pen testing, source code review and static analysis, and then remediating those vulnerabilities.

These practices are essential for improving security of new applications, but they often rely on 
human expertise and resources required for proper remediation in the code. Furthermore, it is often very hard to prioritize issues without fully understanding the impact of the deployment configuration and other protective measures on exploitability of these vulnerabilities.

As a result, this approach, while essential, can be painstakingly slow, taking months, or years before it has significant impact on risk reduction.

Blocking Exploitation With RASP

Preventing vulnerabilities from being exploited in the first place is the main focus of RASP solutions. The vulnerability isn’t realized until an exploit is leveraged by an attacker. Preventing the harm that results from vulnerability exploitation is simpler than launching a difficult--and likely fruitless--search for every possible vulnerability in application code.