Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

6/26/2015
10:00 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Waratek Makes Apps Self-Testing and Self-Protecting

AppSecurity for Java Product Uses Outputs from Leading Application Security Testing Tools to Virtually Patch Flaws without Any Code Changes

NEW YORK – June 17, 2015 – Waratek, the application protection and management company, today announced that it has added automated security vulnerability remediation to its AppSecurity for Java Runtime Application Self-Protection (RASP) product. According to the 2014 WhiteHat Security Website Security Statistics Report, Java vulnerabilities remained unfixed for an average of 90.9 days. The new capabilities eliminate the need to make any code changes and can reduce the time it takes to remediate flaws from three months to thirty minutes.

Waratek can now use assessments generated by software application security testing (SAST) tools to automatically generate rules that provide a virtual patch against code level attacks including SQL injection, unrestricted uploads, command injection, path traversal, code injection and more. According to Gartner, Inc.: “The existing security paradigm fails to test and diagnose all applications for security vulnerabilities, and then fails again to protect those vulnerable applications....In view of the failure to test and protect our applications, the only viable solution is self-testing and self-protection. Applications must test, diagnose, and protect themselves.”

Source: Gartner, Inc., Maverick* Research: Stop Protecting Your Apps; It's Time for Apps to Protect Themselves, Joseph Feiman, 25 September 2014

Firehose of Flaws

One leading SAST vendor that evaluated 54,000 applications at 200 companies over a nine month period discovered 11 million vulnerabilities. Despite the widespread use of SAST tools, the enormous number of vulnerabilities detected are virtually impossible to remediate. Primarily because these tools do not correct flaws. As a result, fixing security problems in source code is manual, time consuming and costly.   

 Waratek has developed the ability to consume CWE (Common Weakness Enumeration) reports form SAST and DAST tools including HP Fortify, Veracode, Checkmarx and others to generate rules that immediately address the top application security flaws identified by SANS and OWASP. This fully automated workflow can immediately protect production applications without any manual intervention or configuration. It can also be integrated into the Software Development Lifecycle. Using a closed-loop process, Waratek AppSecurity for Java provides validation to SAST/DAST tools that vulnerabilities have been remediated.

“At a typical enterprise, only a fraction of the vulnerabilities identified in internally written applications are fixed. For applications and software components provided by third parties, the number is exponentially higher,” said Brian Maccaba, CEO of Waratek. “By integrating application vulnerability reporting into our RASP platform we have created an end to end process that can reduce remediation times from months to minutes and increase productivity 100 fold.”

Business Benefits

Beyond its security advantages, the integration of SAST/DAST with Waratek App Security for Java provides the following business benefits:

•             Risk Reduction: lowering the time to remediation is a critical metric in Application Security

•             Cost Savings: the automation of laborious and costly manual vulnerability remediation processes

•             Business Agility: enables organizations to build and secure applications faster

•             Compliance: automatic remediation of critical threats (such as SQL Injection, XSS) helps ensure that organizations meet regulatory requirements

The RASP Advantage

Waratek provides RASP for security monitoring, policy enforcement and attack blocking from within the Java Virtual Machine. This approach protects both data center and cloud-based applications against exploits that target vulnerabilities in third party libraries or legacy code, as well as zero-day malware and SQL injection attacks. Waratek prevents attacks from reaching applications regardless of whether they target business logic or code vulnerabilities.

To protect against malicious exploits, abnormal file manipulation or unexpected network connections, Waratek uses a small set of rules to quarantine illegal operations inside the application. Its unique Taint Detection Engine can detect and block SQL Injection attacks with 100 percent accuracy and without generating false positives associated with Web Application Firewalls and other technologies that rely on heuristics and signature-based detection. Waratek enables applications to protect themselves from the inside out, without code changes, hardware or any user discernible performance degradation.

Availability

Waratek AppSecurity for Java with SAST and DAST integration is available immediately from Waratek and its business partners worldwide.

Waratek Resources

SAST+ RASP Video:

SAST+ http://www.waratek.com/solutions/automatic-remediation-of-sast-out

SAST+ put/

Overview: http://www.waratek.com/products/appsecurity-for-java

Data Sheet: http://www.waratek.com/documentation/ds-waratek-application-security-java/

Whitepaper: http://www.waratek.com/documentation/wp-securing-java-inside

BCC Risk Advisory SQLi Report: www.waratek.com/documentation/bcc-risk-advisory-executive-summary

About Waratek

Waratek makes enterprise apps more secure and easier to manage. Waratek AppSecurity for Java and Waratek Locker provide transparent, runtime application self-protection in datacenter and cloud environments, respectively. Waratek CloudVM enables multiple Java apps to be deployed on a single server for dramatically reduced operating costs. The company was chosen as the Most Innovative Company at RSA Conference 2015, is a SWIFT Innotribe Top Global Innovator and FinTech Innovation Lab winner. Waratek is headquartered in Dublin, Ireland with subsidiaries in New York and London, and offices in Sydney, Tokyo, Shanghai, Taipei and Seoul. For further information please visit www.waratek.com.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7343
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.
CVE-2020-28476
PUBLISHED: 2021-01-18
All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configura...
CVE-2020-28473
PUBLISHED: 2021-01-18
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with defa...
CVE-2021-25173
PUBLISHED: 2021-01-18
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory allocation with excessive size vulnerability exists when reading malformed DGN files, which allows attackers to cause a crash, potentially enabling denial of service (crash, exit, or restart).
CVE-2021-25174
PUBLISHED: 2021-01-18
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory corruption vulnerability exists when reading malformed DGN files. It can allow attackers to cause a crash, potentially enabling denial of service (Crash, Exit, or Restart).