IBM’s 2020 report on the Cost of a Data Breach found that on average it takes 280 days to fix a vulnerability in production once a breach is discovered. If you’ve got an application in production you may be wondering how you can protect the application once a vulnerability is identified, and before that vulnerability is fixed.
If you’re like most organizations you probably can’t bring down the application, as it would mean lost revenue, productivity or other negative hit. So the application remains up and in production, and still vulnerable to another breach while you are waiting for a fix to the code.
This is the exact scenario where Runtime Application Self-Protection (RASP) makes sense. A RASP solution can protect a vulnerable application from attacks, and can implement virtual patching to prevent a vulnerability from being exploited, until such time an actual patch becomes available for the code.
The release of the new NIST SP800-53 Revision 5 Security and Privacy Framework includes RASP in its catalog of security controls. It’s a first in recognizing the importance of an application security solution that not only detects attacks like zero day and OWASP Top 10 attacks, but also offers self-healing, a solution that can block the attack, essentially offering virtual patching of the vulnerability.
If you’re not familiar with RASP, it’s not a new concept. The product category has existed since 2012, and came about because of the need for security that is specific to the challenges and threats that web applications face. If you are thinking the WAF is providing all the application security requirements, you would not be alone, but you would be missing out on many application security needs. While WAFs have been around in their current form since around 2002, WAFs function as a network perimeter security solution and they have failed to meet the security needs around many of the issues that applications face in today’s threat landscape.
A typical RASP solution has code level visibility into the application and can analyze all the activity related to the application to accurately identify when an attack occurs, thereby reducing the amount of false positives. Unlike WAFs which only see the traffic coming to and from the server, a RASP can see what’s happening inside the application, to determine if there’s inappropriate use of the application itself. In addition, RASP is really the first security category to offer self protection for the application.
By running on same server as the application, RASP solutions provide continuous security for the application during runtime. For example, as mentioned earlier, a RASP solution has complete visibility into the application, so a RASP solution can analyze an application’s execution to validate the execution of the code, and can understand the context of the application’s interactions.
Here at K2 Cyber Security, we’d like to help out with your RASP requirements. K2 offers an ideal runtime protection security solution that detects true zero-day attacks, while at the same time generates the least false positives and alerts. Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, we use a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge. Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended. There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has no false alerts.
K2’s technology can also be used with DAST testing tools to provide IAST results during penetration and vulnerability testing. We’ve also recently published a video, The Need for Deterministic Security. The video explains why the technologies used in today’s security tools, including web application firewalls (WAFs) fail to prevent zero day attacks and how deterministic security fills the need for detecting zero day attacks. The video covers why technologies like artificial intelligence, machine learning, heuristics, fuzzy logic, pattern and signature matching fail to detect true zero day attacks, giving very specific examples of attacks where these technologies work, and where they fail to detect an attack.
The video also explains why deterministic security works against true zero day attacks and how K2 uses deterministic security. Watch the video now.
Change how you protect your applications, include RASP and check out K2’s application workload security.
*** This is a Security Bloggers Network syndicated blog from K2io authored by Timothy Chiu, VP of Marketing. Read the original post at: https://www.k2io.com/280-days-to-fix-a-vulnerability-in-production/