Modernizing an Out-of-Date, Mission Critical App Without Code Changes

A large US-based company ($50 -$75B) recently evaluated how Waratek’s virtualization-based Application Security Platform can instantly and seamlessly modernize, harden, and protect a large, mission-critical application used by thousands of customers.

Below, we'll provide a case study showing how this company brought their out-of-date, mission critical app up to speed without any code changes at all, simultaneously improving the app's security and even its performance. Again no manual code changes were necessary, allowing the devs to focus on writing new code instead of working on updating an old codebase. This also means that the company didn't spend money or time toward rewriting the app and could instead invest in progressing forward.

Read on and see the results for yourself. And of course, be sure to read through the many benefits received via Waratek's solution. 

Background

The target application was running on an "end-of-market" app server with an "out-of-support" Java Runtime Environment (JRE). The app server version was incompatible with the current Java 8 JRE, meaning that upgrading the application would require a manual rewrite of the app and significantly increase the risk of breaking the app. No cost estimate for rewriting the app was shared with Waratek, but similar projects at other companies have been estimated to take 12-24 months and require millions of dollars to complete.

Assessment

A significant backlog of critical patch updates was discovered in a preliminary security and compliance assessment indicated the company had difficulty keeping pace with the volume of vulnerabilities discovered in third-party software components and the increasing cadence of patch updates.

Further, Qualys/Nessus scans revealed:

• Up to 24 Qualys vulnerabilities recorded against the out-of-support JRE
• More than 300 MITRE CVE vulnerabilities recorded against the out-of-support JRE
• An unknown number of CVEs related to imported app server JAR files

Under the test parameters, Waratek was required to instantly remediate Severe, High, and Medium Java vulnerabilities in the out-of-support JRE without source code changes and upgrade the out-of-support JRE to Java 8 JRE without source code changes, all while generating minimal performance overhead.

Test Results

After completing the preliminary security and compliance assessment of the application, the Waratek agent (a .JAR file) was downloaded and installed. Upon restart, a virtual container encapsulated the full application stack, providing instant modernization of the out-of-support JRE to a Java 8 JRE and instant protection from the Java-related vulnerabilities identified in the pre-scan.

Performance overhead was measured against a baseline without Waratek’s solution and reflected normal operation and operation under malicious attack. While under attack, the performance overhead increased by a 2.4%. However, under normal operating conditions, Waratek improved app performance by as much as 9% and improved the overall performance by 6.9% after lifting the out-of-support JRE to a more efficient Java 8 JRE.

Waratek remediated all the Severe, High, and Medium CVEs identified in the pre-test assessment as required.

Benefits

The test results above demonstrate significant business benefits for the application owner:

1. Instant Application Modernization

Waratek’s patented virtualization technology instantly modernized (upgraded) the entire application stack, including the legacy app server, to the latest compliant Java 8 JRE without any source code changes.

2. Live, Virtual Patching

Security Policies and binary-equivalent virtual patches can be updated and applied without disrupting/restarting application operation and no manual intervention. This allows for instant patching which frees valuable staff and financial resources to be applied to higher value activities.

3. Continuous Protection

Waratek’s security controls provide continuous monitoring and protection for the 2013 OWASP Top Ten as well as other common vulnerabilities like those found in third-party software components – Apache Struts 1, Apache Struts 2, Apache Commons, for example.

Proprietary technology also allows for highly effective defenses against attacks such as Deserialization and Command Injections.

4. Automatic Security Hardening

Waratek’s built-in application hardening features, such as Default Impact Reduction Rules, Name-Space Layout Randomization (NSLR), and others, reduce or eliminate the CVE Severity Scores of known and unknown vulnerabilities that may be present anywhere in an application stack.

5. Full Forensic Data

Waratek provides real-time attack alerts to security teams and comprehensive data that guides development teams to vulnerable sections of code. The data is accessed via a customer’s SIEM or the Waratek Management Console. Our security logs are generated as an easily parseable delimited text format and include stack traces corresponding with any security event we intercept.

Summary

Waratek’s unique approach to application security resulted in the remediation of several years of vulnerabilities and the updating of an out-of-date Java JRE without changing a single line of code. Performance overhead while in normal operating mode improved by nearly 7% and increased by less than 2.5% while under attack.

The application owners can expect to see an elimination of false positives. The company will also gain operational efficiencies from being able to live patch without shutting down the application - reducing patch times, costs, and the risks associated with delays in patching.