Drivetime vs. Runtime: Applying Motor Vehicle Safety to Application Security

Application Security continues to be the Achilles Heel of cyber defense. According to the global head of cyber security at HP, 85 percent of all successful breaches involve an exploit at the application layer. To add insult to injury, 99 percent of these breaches exploit at least one weakness that has been publicly disclosed for 12 months or more.

Motor vehicle safety, meanwhile, has its own unique set of challenges with much more dire consequences — more than 1 million people die in road accidents worldwide each year: that’s one death every 20 seconds of every day.

Precautions in motor vehicle safety are generally divided into two parts: pre-drivetime and drivetime.

Since fatal accidents occur only during drivetime, there are natural limits to how much any pre-drivetime program can reduce fatalities. These focus on two areas which occur before a car ever leaves the driveway (1) ensuring cars are safe and (2) ensuring a minimum level of driver competence.

There is no question that today’s cars are built with the highest level of quality control and advanced features like ABS brakes, rearview cameras, etc. Governing bodies have also instituted a life cycle or legacy element that requires older cars to pass periodic safety inspections to remain on the road.

Of course, even a safe car is lethal in the hands of a dangerous driver. No one is allowed to legally drive a car without a valid driver’s license and passing a driving test with both theoretical and practical components. Here again, there is a life cycle element. Older drivers need to pass vision tests to renew their license, while suspended license holders often have to re-pass their tests.

The effectiveness of these indirect measures remains difficult to measure.

So what does reduce road deaths and what could reduce them even further? Drivetime protections.

The most well-known drivetime protection is the seat belt. It is estimated that seat belts have reduced fatalities by up to 50 percent, and when combined with airbags, by up to two-thirds. That equals saving up to one million lives a year worldwide. More than the death rate from all wars, conflicts and terrorism in the past 70 years – the humble seat belt!

To bring the analogy to cyber-security, if it is illegal to drive without a seat belt – why do most enterprises continue to run their applications without runtime protection? Runtime application self-protection, or RASP, a term coined by research firm Gartner, Inc., is the cyber equivalent of seat belts. RASP achieves in the runtime what seat belts and airbags achieve in the drivetime – a dramatic reduction in a fatal outcomes.

While seat belts and airbags have reduced fatalities by up to 67 percent; simply implementing basic RASP based on virtualization reduces vulnerabilities by approximately 80 percent based on the SANS and OWASP list of the most severe known vulnerabilities.

Now, let’s consider an emerging motor vehicle safety innovation: intelligent cars. Google’s Self Driving Car project has garnered worldwide interest with a technology basically designed to compensate for human error. Google is not alone. Tesla offers AutoPilot on its vehicles and MobilEye’s driver assistance tech is being licensed by global automobile manufacturers. According to industry estimates, these new technologies will further reduce road fatalities by 90 percent.

In cyber security, the equivalent of the intelligent car is advanced RASP.

Basic RASP can be compared to seat belts and airbags, since you simply turn it on once and it provides very significant protection in the event of an incident. Advanced RASP resembles the intelligent car because it constantly learns and monitors the application’s behavior. Profiling the functions of an app and applying advanced RASP functions can reduce vulnerabilities by up to 99 percent.

And like each of these auto safety technologies, RASP also introduces a level of ease and convenience that makes protection seamless and effortless.

It took nearly 30 years for the drivetime protection of seat belts to become ubiquitous. Look for runtime protection for applications to be adopted in a fraction of that time.