Written by Tom Smith, Research Analyst at DZone, Inc.
I just wrapped up a conversation with Apostolos Giannakidis, Security Architect and James Lee, EVP and CMO at Waratek, the virtualization-based application security company, that has added several security feature improvements to its existing solution.
One key new feature allows Waratek to accurately make the distinction between successful SQL injection exploits and failed attempts at SQL injection exploits. This has been the number one security flaw on the OWASP Top 10 for several years.
This feature adds value, intelligence and forensic information to AppSec blue and security operations teams, allowing them to take actions in case of repeated failed SQLi attempts such as blocking the offending user/attacker.
How did Waratek come up with a solution to this long-standing problem? Compiler engineers in Waratek addressed the problem differently than security engineers who typically use pattern matching and other heuristic approaches. Being inside the runtime platform, Waratek is able to perform syntactic analysis of all SQL queries and apply similar techniques used in compilers to deterministically detect successful SQL injection attacks – resulting in no false positives being generated.
The SQL injection feature is also improved to support applications that use concurrent connections to multiple database systems from different vendors. For example, in case an application is using Oracle RDBMS for storing financial information and MySQL RDBMS for user information, Waratek is now able to accurately protect and detect SQL injection attacks and attempts with no false positives on both database systems concurrently.
Additional features mitigate abuse of DNS lookups that could cause Denial of Service (DoS) attacks that can cause network congestion as well as blind attacks for data exfiltration; advanced and accurate Path Traversal mitigation on all supported platforms and Operating Systems; and, support for SQLi attack detection and protection in applications that use concurrent connections to multiple database systems from different vendors. This closes off all Path Traversal attack vectors by hooking security controls at every entry point of the JVM and supporting Linux, Solaris, and Windows operating systems.
These new functions require no configuration, manual tuning from the user, or source code changes.
“From the outset, Waratek has provided absolute protection against both known and unknown injection vulnerabilities with zero false positives, and has never required making any changes to the application,” said John Matthew Holt, founder and CTO. “Our new features are the logical extension of what we set out to do—help solve the problems that chief security officers and security teams face every day without adding complexity, performance overhead, or additional effort.”
The most recent release includes an advanced capability that allows legacy applications that run on older and unsupported versions of Java, such as Java 4, Java 5, and Java 6 to utilize the latest TLS protocols and cipher suites, such as TLS 1.2. Traditionally, this is not possible unless the application is migrated to the latest Java version and JVM. Organizations that must meet PCI standards have until June 30, 2018, to comply with TLS 1.2 requirements.
Waratek’s new feature upgrades the TLS stack allowing legacy applications to transparently use the latest and more stable protocols without the need to recompile their source code or migrate them to a newer JVM. Waratek provides this capability with its virtualized architecture that allows legacy Java versions to run as guest JREs inside a host JVM, which is typically a newer and patched version of Java. The feature helps enterprises become compliant to the latest standards and to stop using older and broken versions of SSL and TLS.
Waratek users will also be able to comply with TLS 1.3 by simply upgrading to the most current JVM once a deadline for compliance is set later this year.
Every effective cybersecurity approach developed over the past two decades is now fully integrated into the way businesses protect themselves today. The massive volume of vulnerabilities, the ubiquity of software flaws, and pace of attacks, though, means that the measures organizations have relied upon for more than twenty years are now unable to provide the level of protection required going forward. Diligent system maintenance, consistent patching, and third-party security solutions are all necessary for maximum cyber protection.
Companies that use application security controls effectively reduce the cost of cybercrime. According to the Ponemon Institute, companies that deployed between eight and nine of the application controls in a recent study saved almost $2 million on total cybercrime costs. If only one to three controls are used, the costs increase by an average of $2 million.