DEVOPSdigest

DevOps teams today churn out releases at a rapid pace, and securing these applications is more challenging than ever. Code is continuously changing, and developers must identify and fix security bugs as quickly as possible. Developers need effective tools to help reduce the risk of data breaches while the software development and release machinery is getting faster.

Generally this means a combination of static analysis, pen testing and web application firewalls – all technologies that require deep expertise to manage, need heavy customization on a constant basis, and slow down continuous release. These activities are time consuming and require niche expertise that few DevOps teams have.

At the same time, attackers are developing new strategies, and application vulnerabilities arising from legacy code are on the rise. A new report from research firm Securosis reveals that when it comes to security, DevOps teams are searching for better solutions. The report explores how an emerging technology, Runtime Application Self-Protection (RASP), provides a simpler and more effective alternative to legacy web application security tools.

The report, Understanding and Selecting Runtime Application Security and Protection, explores how DevOps teams currently address application security issues, examining the shortcomings of the current approach. Securosis notes that DevOps teams are increasingly charged with managing security and are now actively involved in selecting web application security solutions. They’re searching for automated solutions that mesh with continuous integration and continuous deployment methods, and integrate well with existing developer tools.

Moving from “Security Bolted On” to “Security from Within”

RASP solutions work by examining requests at the application layer to detect attacks and misuse in real time. They fit well into the agile development process because they’re flexible and fast. Furthermore, RASP works inside the application, meaning it can go wherever the application goes. As Securosis highlights, RASP offers a distinct blend of capabilities and usability options, making it stand out from traditional web application security solutions. With RASP, the concept of web application security evolves from "security bolted on" to "security from within."

RASP: Protecting Web Apps Before Vulnerabilities are Exploited

It's no secret that applications are vulnerable to attacks. Applications are often tested before launch, then left unsupported, which leaves the door open to security breaches. Traditional solutions such as WAFs and static testing are insufficient for today's agile development and DevOps automation environments, especially with new classes of vulnerabilities constantly emerging. The function of RASP is, as the report explains, to protect web applications before these vulnerabilities can be exploited.

Most RASP products will offer protection against the common vulnerabilities of SQL injection, Cross Site Scripting, and Remote Command Execution. Some RASP products are also particularly effective in addressing Account Takeover (ATO) attacks. ATO attacks, in which hackers access user account credentials, are the most common cyber attack vector today. In these attacks, hackers obtain session or password information, then sell these credentials for profit or use them to further penetrate corporate networks and commit fraud.

Addressing the Complex Account Takeover Threat

There are a multitude of ways in which Account Takeovers happen, from attackers guessing credentials using credential information leaked off other sites, bruteforcing passwords or session IDs, or even tried-and-true cross-site scripting (XSS). To truly reduce the risk of account takeovers, organizations need a solution that addresses the multitude of ways in which such attacks occur. RASP is positioned to address these risks: every time a user logs in, the RASP knows if their login behavior matches their normal behavior. It knows if one user is generating an abnormal number of sessions, for example. Because it can operate at the user level (instead of at the IP address layer, like most network firewall devices). It can then take protective actions, such as serving captchas or blocking just that one user account.

The move to real-time web application protection provides major advantages to developers and security engineers. The challenge becomes how to integrate innovative new technologies into the security mix, ensuring all the pieces are in place from pre-launch to post-launch. RASP solutions are simple to install and work effectively alongside other security tools including static testing and WAFs.

As attackers become more sophisticated, protection plans must too. No longer can organizations only protect their applications from the perimeter. Solutions that sit inside the application must be implemented to ensure security happens at the same speed as development.

Zaid Al Hamami is Co-Founder and CEO at IMMUNIO.