NEW YORK – June 17, 2015 – Waratek, the application protection and management company, today announced that it has added automated security vulnerability remediation to its AppSecurity for Java Runtime Application Self-Protection (RASP) product. According to the 2014 WhiteHat Security Website Security Statistics Report, Java vulnerabilities remained unfixed for an average of 90.9 days. The new capabilities eliminate the need to make any code changes and can reduce the time it takes to remediate flaws from three months to thirty minutes.
Waratek can now use assessments generated by software application security testing (SAST) tools to automatically generate rules that provide a virtual patch against code level attacks including SQL injection, unrestricted uploads, command injection, path traversal, code injection and more. According to Gartner, Inc.: “The existing security paradigm fails to test and diagnose all applications for security vulnerabilities, and then fails again to protect those vulnerable applications....In view of the failure to test and protect our applications, the only viable solution is self-testing and self-protection. Applications must test, diagnose, and protect themselves.”
Source: Gartner, Inc., Maverick* Research: Stop Protecting Your Apps; It's Time for Apps to Protect Themselves, Joseph Feiman, 25 September 2014
Firehose of Flaws
One leading SAST vendor that evaluated 54,000 applications at 200 companies over a nine month period discovered 11 million vulnerabilities. Despite the widespread use of SAST tools, the enormous number of vulnerabilities detected are virtually impossible to remediate. Primarily because these tools do not correct flaws. As a result, fixing security problems in source code is manual, time consuming and costly.
Waratek has developed the ability to consume CWE (Common Weakness Enumeration) reports form SAST and DAST tools including HP Fortify, Veracode, Checkmarx and others to generate rules that immediately address the top application security flaws identified by SANS and OWASP. This fully automated workflow can immediately protect production applications without any manual intervention or configuration. It can also be integrated into the Software Development Lifecycle. Using a closed-loop process, Waratek AppSecurity for Java provides validation to SAST/DAST tools that vulnerabilities have been remediated.
“At a typical enterprise, only a fraction of the vulnerabilities identified in internally written applications are fixed. For applications and software components provided by third parties, the number is exponentially higher,” said Brian Maccaba, CEO of Waratek. “By integrating application vulnerability reporting into our RASP platform we have created an end to end process that can reduce remediation times from months to minutes and increase productivity 100 fold.”
Beyond its security advantages, the integration of SAST/DAST with Waratek App Security for Java provides the following business benefits:
• Risk Reduction: lowering the time to remediation is a critical metric in Application Security
• Cost Savings: the automation of laborious and costly manual vulnerability remediation processes
• Business Agility: enables organizations to build and secure applications faster
• Compliance: automatic remediation of critical threats (such as SQL Injection, XSS) helps ensure that organizations meet regulatory requirements
The RASP Advantage
Waratek provides RASP for security monitoring, policy enforcement and attack blocking from within the Java Virtual Machine. This approach protects both data center and cloud-based applications against exploits that target vulnerabilities in third party libraries or legacy code, as well as zero-day malware and SQL injection attacks. Waratek prevents attacks from reaching applications regardless of whether they target business logic or code vulnerabilities.
To protect against malicious exploits, abnormal file manipulation or unexpected network connections, Waratek uses a small set of rules to quarantine illegal operations inside the application. Its unique Taint Detection Engine can detect and block SQL Injection attacks with 100 percent accuracy and without generating false positives associated with Web Application Firewalls and other technologies that rely on heuristics and signature-based detection. Waratek enables applications to protect themselves from the inside out, without code changes, hardware or any user discernible performance degradation.
Waratek AppSecurity for Java with SAST and DAST integration is available immediately from Waratek and its business partners worldwide.
SAST+ RASP Video:
BCC Risk Advisory SQLi Report: www.waratek.com/documentation/bcc-risk-advisory-executive-summary
Waratek makes enterprise apps more secure and easier to manage. Waratek AppSecurity for Java and Waratek Locker provide transparent, runtime application self-protection in datacenter and cloud environments, respectively. Waratek CloudVM enables multiple Java apps to be deployed on a single server for dramatically reduced operating costs. The company was chosen as the Most Innovative Company at RSA Conference 2015, is a SWIFT Innotribe Top Global Innovator and FinTech Innovation Lab winner. Waratek is headquartered in Dublin, Ireland with subsidiaries in New York and London, and offices in Sydney, Tokyo, Shanghai, Taipei and Seoul. For further information please visit www.waratek.com.