The kind of risks that mismanaged security poses can no longer be fathomed merely by the numbers which most often fail to cover the real quantum of damages and their ripple effects. In a mad rush to keep up with time-to-market pressures, app developers may not think through data security and user privacy. This leaves enterprises with rudimentary, interim threat prevention tools. If perimeter security encouraged an era of insecure code at the application layer, runtime security is only repeating the offense at a much closer level. In the wake of this chaos, how must one prevent application security from disappearing into the proverbial Bermuda triangle of scope, schedule and budget? Let’s take a look at common application security risks and ways to mitigate them:
Risk: Inadequate security personnel support to handle runtime monitoring tools:
Runtime Application Self-Protection came into being when the idea of an impenetrable network perimeter began to be viewed as improbable and unworkable. Security companies resolved to move the layer of defense in from the perimeter to the host. But RASP addresses only a small range of web application vulnerabilities, such as CSRF and SQLi which are relatively minor weaknesses that developers can fix with minimal effort.
The larger problem with RASP and WAF is that they fall short of vulnerability correction capabilities. All that they essentially do is set up a temporary barricade that becomes a ‘dependency’ for the vulnerability that was detected. If this dependency and the temporary fix are not well-documented and evangelized among IT managers and executives, they could be neglected with the passage of time, under the impression that the vulnerability has been neutralized.
What you can do: Enterprises need to build security into the core of the development team, or rather make it the crux of DevOps strategies. Seek the assistance of security posture analysts who can assist in drawing up all-inclusive plans and policies for patch management, logging and lifecycle documentation. This will empower your business with the awareness of what solution works best for your line of business, endpoints, platform, scale and brand image sensibilities.
Risk: Shortsighted planning
Both RASP and WAF are simply adding a shield to the core of the application and aren’t helping build secure applications. Sooner or later, companies will have to face the hard decision looming before them: whether to purchase an extended cover of the compensatory RASP control for the zero-day vulnerability or approach the developers for a fix. Small and medium businesses often find it hard to make a decision on the trade-off between mounting costs and impediments to business continuity.
What you can do: Seek to gain thorough foresight of the long-term benefits and limitations of security implementation, products and tools. Risk mitigation planning is incomplete without exhaustive threat awareness that also projects a weighed analysis of defense tactics, apart from keeping a business aware of contextual vulnerabilities, evolving threat actors and perilous practices.
Risk: Entrusting complete autonomy with runtime monitoring
Runtime security is designed to keep out real-time attacks and is known to be highly inclined to throw up false positives. They could misinterpret unusual traffic for anomalous traffic and end up stopping code from execution, thereby damaging data availability – culminating in a self-inflicted DoS attack of sorts. WAF is only as intelligent as its signature base and pattern-matching resource. Which means WAF would know nothing about what an application does with a particular user input. It only knows enough to block out inputs that ‘seem’malicious. As one would guess, hackers are manufacturing cleverer attacks that can deceive a WAF filter by posing as a harmless request.
What you can do: The basic mindset to adopt is the synchronization of people and technologies. Tools are prone to throw up false positives and cannot be left to decide how to act. They require continuous monitoring by a security expert who can interpret the nature of sophisticated attacks and differentiate them from say, routine performance testing traffic loads.
Another important takeaway is that while RASP can give your applications self-protection capabilities, it also means inviting a hacker deeper into the stack while there are other means to lock them out even further outside network boundaries. Such a situation warrants the guidance of a security consultant who can instill a culture of robust, mufti-faceted security fundamentals that prevents the tilting of your budget towards a single, apparently imprecise defense mechanism.
Beginning with assistance in developing secure code, a security posture assessment can bring you the benefits of an adroit risk management planning backed by a custom-built threat profile. While tools are programmed to look for and block out certain predefined activity, manual penetration testing thinks out of the box, mimicking attackers who try everything they can to dodge standard intrusion prevention signatures.