Applications are under increasing attack, yet today’s security tools produce too many false alerts. Security teams need context to distinguish whether an attack is real, visibility to understand how to resolve it, and control to block the attack from being successful, shares Pravin Madhani, CEO and co-founder at K2 Cyber Security.
Digital transformation and cloud adoption have been key driving initiatives in IT organizations that were given even more importance with the COVID-19 pandemic, forcing many organizations to let their employees work from home. The increase in remote workers drove the need to move resources and data to the cloud to support workers working from anywhere, on any device, and any network.Â
Throughout this digital transformation, organizations continue to see an increase in attacks and resulting data breaches, making application security essential for every organization. This article will examine the top 3 requirements for application security to identify and combat the attacks on applications today: Context, Visibility, and Control. Â
Security tools do report when there are attacks on applications. Suppose you ask a typical IT Security professional. In that case, the problem is that they report on too many attacks (too many for most security organizations to handle), including actually harmless attacks, while still missing dangerous attacks. To figure out which reported attacks should be investigated, organizations need context to know if the attack was real, visibility to understand the damage that the attack caused or would have caused if it were allowed to proceed, and control to make sure the attack doesn’t succeed.Â
Context
A typical example of where an attack is flagged and an application is typically not vulnerable would be the case of where a traditional security tool, for example, a web application firewall (WAF), detects a typical SQL injection pattern, a well-known attack is an addition of “OR 1=1†added to the end of a form field. For a vulnerable application, it would make a resulting SQL query true since “1=1†is always true.Â
The WAF sitting on the network edge doesn’t have the context to know whether the application it is protecting is actually vulnerable to this particular SQL injection, so it will always waste resources trying to block the attack and flag the attack as dangerous and send an alert. For an application that is coded correctly to prevent this SQL injection attempt from succeeding, it will produce many warnings that an IT security team could have otherwise safely ignored. Â
Perhaps even worse, an attacker may attempt an SQL Injection with an attack that uses a more complex equation, say “OR 2*3 = 1+5â€. If the security tool, like the WAF, is using a pattern match looking for the simpler “1=1â€, it will likely miss a more complex equation, as there are infinite possible combinations that can be written to evaluate as true. Here the result is a bigger problem, completely missing an attack. A security solution needs to understand whether an entry from a user is something that can exploit a vulnerability in the application.
An example of an application security solution that can provide context into exploitability uses an agent running on the application server. It can continuously assess and monitor the application as it is executing. These types of security solutions were originally called Runtime Application Self-Protection (RASP) but lately have been included as part of the Cloud Workload Protection Platform (CWPP) category as well as part of Application Observability Platforms By running directly on the server where the application is running, these agent-based solutions continuously assess for vulnerabilities by instrumenting the code as it is running. Â
Context, or in other words, a better understanding of the application being protected or tested, can significantly help reduce the number of alerts and increase the detected real attacks. This allows IT security teams to focus specifically on exploitable alerts that could lead to an actual attack and a real data breach. Â
As a result, organizations can detect an attack as it occurs, verify the exploitability of the attack in the running code, and eliminate alerts on harmless attacks.Â
See More: Private: Application Security – An Overlooked Window for Hackers
VisibilityÂ
Once a vulnerability is detected and the vulnerability is verified as being exploitable, to fix the vulnerability as soon as possible, it is crucial to have the visibility into both the attack as well as the application code, first to understand the full parameters of the attack to reproduce an attack, as well as understanding where the vulnerability exists in the application code. These two pieces of information will enable a code developer to quickly resolve the issue in the code and get the application code running in production safely.
Once again, traditional solutions lack the complete visibility needed to quickly resolve a vulnerability in application code. Take the WAF example we started with earlier. A WAF resides on the network edge, and while it may see an attack happen, without having the visibility on the application server, it would be unable to provide the visibility into the application code to determine where the vulnerability in the code exists and if the WAF failed to detect the attack in the first place, finding the actual attack information in the WAF logs will be difficult.
The solution to the visibility problem can be provided by an agent-based solution that we talked about earlier. The RASP or CWPP solution typically includes the attack parameters from the attack server. Instrumenting the code can provide visibility into the exact location in the code where the vulnerability exists. A RASP or CWPP solution can help the code developer quickly reproduce the attack with the attack parameters and locate the vulnerability with the location provided by the solution.
Control
While context and visibility are vital to identifying and resolving vulnerabilities in code, another important aspect of application security is preventing an attack from being successful in the first place. Control is needed to make sure that attacks are blocked, preventing any damage, and make sure there aren’t any blocked legitimate transactions and the legitimate traffic to the organization’s websites and applications makes it through successfully.
When talking about control, the first two applications security needs (context and visibility) are key to ensuring that control is successful. IT Security has traditionally been leery of using new technologies in blocking mode for fear of too many false positives (causing legitimate traffic to be blocked). Context and visibility make it possible to ensure only exploitable vulnerabilities are protected from attack and make a blocking policy feasible. Â
The good news is that an agent-based application security solution like a RASP or CWPP can also block attacks on exploitable vulnerabilities. With their ability to give context and visibility to actual attacks, they make the ideal platform for protecting the application by blocking the attack as it is happening in real-time.
The ability to block attacks on vulnerabilities in running code is essential. Even when a vulnerability is discovered, it still takes development teams time to fix, test and roll out remediated code. Â An agent-based solution can help speed this up by giving the context and visibility needed to locate the vulnerability and reproduce it in testing and, at the same time, protect the vulnerability from being exploited while the code is still running in production.Â
Today, application security requires continuous real-time assessment while giving context, visibility, and control as part of the overall security solution.
How do you see the app security space evolving in the near future? Share your thoughts with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to know!
 MORE ON APPLICATION SECURITY:Â