ARCHITECTURE
Cyberock security architecture outlook on application security managed and production services.
PROBLEM
79% of the average applications are not using their own code and only 21% of the code used by companies or Fortune 500s is actually their own. These codes are for the most part libraries that developers are downloading from GitHub or other open-source projects. Exploits are constantly evolving, and we are always under attack. Most organizations today are using web application security management gateway (WAF) to analyze and inspect incoming requests to applications and APIs and to stop attacks against their applications. However, WAF still has serious security limitation when it comes to protecting applications against known threats and Zero-day vulnerabilities within the CI/CD pipeline and in production until application retirement.
​
While WAF helps to keep bad actors away from the organization's infrastructure, it has its limitation as rules to block attacks based on models of applications behavior and attack behavior. Using WAF solution enables you to check for fast requests that are coming in, whether or not they are from the same source and bunch of other indicators about behaviors that are suspicious. Moreover, Web Application Firewalls often generate tones of useless alerts which makes it hard to:
​
-
Zero in any issues which actually matter to developers and security.
-
Keep up with fast changes when applications are being updated in an environment where attacks may creep up constantly.
-
Maintaining those checks and alerts alone becomes a full-time job.
In addition, developers and cybersecurity teams are generally overwhelmed by the share of vulnerabilities identified in their applications. Thus, putting them on the pressure to prioritize and fix these vulnerabilities which isn't easy to remediate and often delay applications rollout and product releases.
In fact, modern DevOps is moving too fast and CISOs along with the security teams often lack visibilities into these applications as well as controls while DevOps continues to more at great speed. Therefore, Zero-day protection isn't effective enough. There is always a risk of Zero-day attacks susceptible to exploit vulnerable codes such as legacy codes, micro services leveraging open source codes or third-party components. New threats and vulnerabilities are discovered every day and keeping the pace of patching components could cause major disruptions to teams and seriously curtail products deliverable speed.
PROPOSED SOLUTIONS
In order to address these problems and protect our applications wherever they live in and however they're being deployed in our CI/CD pipeline, security cannot be bolted on as an afterthought. It needs to be integral to your software development lifecycle process. Also, Runtime Application Self-Protection (RASP) solution ought to be implemented in both your development and production environment. While WAF keeps bad actors and undesirable network traffic outside your organization, RASP solution helps mitigate the risk of unknown exploits. For instance, instead of predicting that a request calls a database, opens a file or starts the shell to execute command lines and generate alerts based on rules and predictions, RASP solutions make alerts highly relevant because they are based on the actual application behavior. Therefore, there is no need to tell the application what bad behavior is because you know what the application should and shouldn't be doing. If the application changes, there is no problem because security is based in the application not on a set of rules based on educated guesses about how it might behave.
​
The main benefit of RASP is that it protects the organization's applications starting from development all the way through when applications are pushed into production using the same agent. In fact, RASP protects applications from known and unknown vulnerabilities by default and insures protection at the speed of DevOps. After configuration, RASP could be added to any existing DevOps build pipeline. RASP travels with applications wherever it goes whether it continues on premises or in the cloud. It provides developers and cybersecurity visibility on the applications. In addition, RASP effectively helps secure applications, legacy codes and components from known attacks. It helps protect against Zero-day exploit using patented techniques that threats data as code. Finally, it protects applications without signatures or updates with very low performance overhead.
A 2019 study found that hackers could attack users in 9 out of 10 web applications they analyzed. In addition, breach of sensitive data was a threat in 68% of web applications. (Source: PT Security)
Another 2019 study found that 46% of web applications have critical vulnerabilities, and a whopping 87% had “medium” security vulnerabilities. (Source: Acunetix)
30% of web applications are vulnerable to XSS. (Acunetix’s report “Web Application Vulnerability 2019”)
​
Cyber attacks are up: There were on average 270 attacks per company over the year, a 31% increase over 2020. Third-party risk continues to dominate: successful breaches to the organization through the supply chain have increased from 44% to 61%.
In a 2020 report that analyzed nearly 4,000 confirmed breaches, it was found that:
- Over half of them (52%) were a result of hacking.
- Hacking statistics gathered in the report show that the second biggest risk was phishing, which accounted for nearly 33% of all data breaches.
- Malware is also a major culprit, responsible for 28% of the data breaches.
The report also found that 70% of the breaches were financially motivated and, rather worryingly, 43% of the breaches involved exploiting vulnerabilities in web applications. This is more than double the numbers from 2019. (Source: Verizon)