Wp Exposure 060515

Application Security Without Compromise

Indecent ExposureWhy Application Security Leaves Enterprises Wide Open to Attacks

WHITEPAPER

Contrast Security | Application Security Without Compromise 2

Indecent Exposure: Why Application Security Leaves Enterprises Wide Open to Attack | White Paper

Executive SummaryWill your organization suffer a data breach this year? Most businesses will answer yes to that question, according to a 2015 study by CyberEdge.1 And applications remain the top target of successful data breaches. Applications make an easy, productive and ultimately profitable target for hackers looking to breach data. Apps are exposed to the world, and the security initiatives designed to protect them are a failure. Its not the fault of application security staff; its the tools at their disposal. They are slow, inaccurate and require experts to operate them.

Enterprises need a new application security approach to solve the data breach epidemic. Security professionals must be able to understand whats going on within applications, regardless of whether those applications are being developed or are already in production, whether on premise, or in the cloud, and whether accessed via a browser or an API. They need to leverage that visibility to gain assurance that there are no vulnerabilities, that their applications are well protected, and that their security analytics systems are well informed.

Contrast Security delivers an effective, proven approach to application security that empowers organizations to deliver secure applications at the scale and speed that business demands.

The Data Breach Era

News, analyst reports and studies show that enterprises are losing the battle to protect their sensitive data from hackers. While organizations spent roughly 25 billion dollars in 2014 to prevent breaches, over 400 million people lost personally identifiable information (PII) through enterprise data breaches2.

How is this possible? It is because organizations are vulnerable to breaches through the very applications they depend on to power and conduct their business. The Verizon 2015 Data Breach Investigations Report noted that web applications have been the top vector for successful data breaches for nearly a decade. Yet only 4% (see Figure 1 on next page) of corporate breach prevention spend is on application security.

Why arent business applications secured? Have enterprises simply resigned themselves to this game of chance, hoping they wont be the next high profile name on the list of breached enterprises?

1 2015 CyberEdge Cyberthreat Defense Report2 Gartner, Contrast Security Analysis



Application Security Today Isnt Working

The application security tools in use today are outdated and have, as a category, failed to deliver on their promises. Worse, the adoption of these tools has caused tensions within businesses and, in some cases, cultivated a false sense of security. Static application security testing (SAST) tools, dynamic application security testing (DAST) tools, and Web Application Firewall (WAF) products lack the visibility and application context required to produce accurate results. Each is unnecessarily complex and requires the involvement of experts. These legacy tools are so unreliable and dependent upon experts that they cannot scale to meet the needs of even moderately sized organizations.

Application Security Assurance: Pass, Then FailTodays application security programs provide poor security assurance and coverage of applications, one of the main reasons why applications are the preferred method of breach by hackers. However, application security teams are not at fault here. The blame for this lies with legacy SAST and DAST tools, which are slow, inaccurate and require experts to operate. The tools turn application security into a crippling application delivery bottleneck and force enterprises to make unsavory compromises with their security. Development automation and the rise of DevOps practices are accelerating both the scale and speed of application development, driving the failures of SAST and DAST tools to a crisis point.

So why do enterprises only spend 4% of their budgets

on application security? For starters, there arent

enough application security experts out there to scale.

Lack of visibility into application attacks is another

factor. No data means application security teams have difficultly quantifying

the risks to secure the budgets needed to expand.

Access Control$4,270

Data Security$1,707

Application Security(4%) $904

Endpoint & Email Security$6,080

Network Perimeter Security$12,116

Figure 1. Data Breach Prevention Spend, 2014 ($ billions)

Source: Gartner, Contrast Security Analysis



With todays application security tools, testing all applications is impossible, so security testing is reserved for only the most important applications.

In a two year report covering hundreds of applications, Aspect Security3 found that many companies only perform security testing on 10% of their application portfolios. Even among the applications tested, the intense pressure to get applications out on time leads teams to focus on critical vulnerabilities that are easiest to repair and ignore deeper flaws. The Aspect Security study additionally found that applications released into production still have an average of 23 critical vulnerabilities.

3 Aspect Security 2013 Global Application Security Risk Report

Known Vulnerabilities Go UnfixedEven when vulnerabilities in widely used libraries and other software are discovered and publicly documented, organizations still fail to patch the applications using that code. According to the Verizon 2015 Data Breach Investigations Report, over 99.9% of exploited vulnerabilities are compromised more than a year after the vulnerability is published as an official CVE. Vulnerabilities in custom and legacy applications face the same challenges.

ASSURANCE

COVERAGE

PROCESS FIT

Experts

ExpertTools

ApplicationPortfolio

Figure 2. Why application security fails to protect the modern enterprise application portfolio



Understanding Application Attacks: Unknown UnknownsMost organizations are blind when it comes to understanding which of their applications are under attack, how often, by whom, and whats being stolen. The lack of visibility, solid metrics and insights into the application attack surface makes it impossible to effectively prioritize application security efforts.

More mature organizations employ Web Application Firewalls (WAFs) to monitor attacks, or require development groups to build security logging into applications. But the lack of context and expertise limits the effectiveness of these efforts and provides only partial visibility. Organizations are left unaware of the scope and damage done through vulnerable applications, believing themselves secure until an outside party contacts them about a suspected data breach.

Protecting Applications: Tune, Tune and Tune Some More. Repeat ForeverApplication security isnt just about finding and fixing vulnerabilities in software. Efforts to protect applications include network security tools as well. Unfortunately these tools, such as WAFs, largely fail because of the continuous fine-tuning and learning required to pass legitimate traffic while blocking malicious attacks. Network based tools lack the application context to accurately identify attacks resulting in a tremendous amount of false positives and poor user experiences. This leads enterprises to deploy these solutions as monitors only, too afraid of blocking customers and other legitimate users from conducting business.

Stopping Hackers Requires Assurance, Visibility and Protection

Enterprises need to embrace a new mindset to secure their applications and eliminate application security risks. They need to stop the flow of vulnerable applications into production and to better protect applications once in production. They must do this with the speed, accuracy and scale to match modern development methodologies (e.g., continuous integration and continuous deployment). Enterprises must remove the bottleneck of application security experts and eliminate the complexity that current application security tools introduce.

Share the Responsibility of Security Assurance with DevelopmentIf application security teams remain solely responsible for application security, then the secure application portfolio will continue to remain a fantasy. Scale will forever be a roadblock. AppSec teams need to get out of the critical path and work with development teams to enable developers to become secure coders. New security tools that are developer friendly are required to help development code securely without the need for security to step in. This enables application security to focus on more strategic initiatives, such as research on advanced threats and security architecture design, while acting as advisors to the empowered development teams. Partnering with development is the only way an enterprise can completely secure their entire application portfolio at the pace of todays business.



Total Visibility into the Application PortfolioIn order to properly protect all their applications, enterprises must first have an understanding of how their applications are being attacked. The only way to do this effectively at scale is to have the applications themselves report back on attack metrics so the data will be accurate, timely and ubiquitous. Reporting from within the application ensures the data has the proper context to identify an attack, can be reported the instant an application sees an attack, and can be made available to any solution for analysis and reporting. Reporting from within the application also means that data can be made available, even if the application is hosted in public cloud infrastructure.

Ideally, enterprises would get applications to self-report by having development teams implement a standard system of security logging. In practice, it would be difficult to enforce such a policy, providing inconsistent visibility. More practically, security logging could be instrumented into the applications at run-time, providing a much more standard and controlled system to build visibility on. Instrumentation is the ability to record and measure information within an application without changing the application itself. In fact, many organizations today use instrumentation to report on application performance today.

Employ Application Self-DefenseEven with a portfolio filled with securely developed applications, hackers will continuously attempt to exploit an enterprise through their applications. Dreaded zero-day exploits and newly discovered vulnerabilities in commonly used open source components provide windows of opportunities for hackers to use. Application defenses need to be able to respond to the changing attack landscape quickly and accurately to block hackers from breaching an application.

The only place where defenses can have the union of complete attack information, context of application vulnerability and opportunity to stop an attack is within the applications themselves. Applications overcome the false positive challenge by seeing the fully formed attack and understand how the attack can impact the application. Once the defenses see a breach is possible, the application is able to stop the transactions and block it. Much like visibility, application based defenses move with the application and protect it, no matter where the application lives. This technology is referred to today as Runtime Application Self-Protection, or RASP.

Contrast Enterprise: Unprecedented Security and Visibility

Contrast Enterprise was developed to help organizations to protect their applications and data from hackers at the speed and scale of modern application development. It is the only product that unites application protection, vulnerability detection, and visibility into a single solution and provides security continuously through the application lifecycle.

Contrast Enterprise employs patented deep security instrumentation (DSI) to provide applications with three layers of defense: Assurance, Visibility and Protection, all without requiring any code changes or experts to remediate problems. Contrast DSI deploys sensors all throughout the application, providing unprecedented visibility into custom code, libraries, frameworks, configuration files, and runtime data flow. This rich context enables Contrast Enterprise to act quickly and with pinpoint accuracy.



Figure 3. Contrast deep security instrumentation provides all the context needed to secure and protect applications.

Three Layers of Defense

AssuranceContrast removes the bottleneck problem by enabling fully automated vulnerability detection without the need for security expertise. Contrast patented deep security instrumentation technology identifies vulnerabilities without the need for scanning or security testing and the results are highly accurate and easily understood by developers. Contrast Enterprise provides detailed expert analysis and identifies the line of code the vulnerability resides in to guide developers to find and remediate vulnerabilities, without needing to be an AppSec expert.

VisibilityContrast deep security instrumentation not only gives teams highly accurate information about vulnerabilities; the same technology is used to provide outstanding visibility into the attacks applications face. Instrumentation allows applications to report on attack sources, the type of attack, the number of attacks as well as provide detailed information of how the attack interacted with the applications. Contrast DSI is extensible and allows teams to define custom logging methods, giving insight into any part or behavior of the application without requiring source code changes or developer involvement. All this intelligence may be integrated with SIEM solutions for additional analysis and incorporation into a larger security operations efforts.

Controller Business Functions

Data Layer

Presentation

User Libraries

Application Server

Runtime Libraries

Contrast Instrumentation

Deep security instrumentation

Runn

ing

Appl

icat

ions

291 Lambert Ave, Palo Alto, CA 94306 | 650.567.4734 | www.contrastsecurity.com

Contrast Security is the worlds only application security software that quickly and accurately stops hackers from stealing data via web applications the most successful attack vector. Industry research shows that application security flaws are the leading source of successful data breaches yet more than 90% of applications are not secure. Unlike legacy security products that do not defend applications, Contrast employs patented, deep security instrumentation to strengthen applications before theyre deployed, protect them in production and provide visibility throughout the application lifecycle. As a result, organizations can act faster against threats and immediately reduce their attack surface. More information on Contrast Security can be found at http://www.contrastsecurity.com/.

Contrast Security 2015

Indecent Exposure: Why Application Security Leaves Enterprises Wide Open | WHITE PAPER

060415

ProtectionOnce attacks have been identified, Contrast Enterprise can block those attacks using a number of blocking rules to prevent hackers from successfully breaching an application. Contrast combines attack and vulnerability information to identify and block those attacks that could successfully exploit an application. CVE Shields may be deployed right out of the box to protect vulnerable libraries from exploits. Protection rules block categories of attacks, such as SQL Injection or XSS. Virtual patches may be used to quickly deploy defenses against the next branded vulnerability, like Ghost or Heartbleed. Contrast Enterprise defenses are highly accurate due to Contrast DSI technology providing the necessary context from the application to accurately identify the attack and properly block it.

Three Layers One Product With Contrast Enterprise, all application security status details are aggregated into a single location, without needing to switch between tools or attempting complicated integrations. From a single pane of glass, enterprises can ensure that efforts to automate their business are safe from hackers, identify what can be done to improve their security and track their improvement over time.

Conclusion

Legacy application security tools have failed organizations. These tools rely on application security experts, creating a bottleneck that holds up the delivery of business applications and requires constant expert tuning. Successful application security requires a new approach, one that provides the speed, visibility and accuracy across the entire application portfolio and the enterprise. With its patented deep security instrumentation, only Contrast Enterprise is able to successfully deliver the three levels of defense that application security organizations need.

Documents

Wp Exposure 060515