Shadow Code is a major risk for web applications


A new report by Osterman Research notes that most websites use third-party libraries to simplify common functions, but those same libraries often present application security risks. Organizations also typically lack visibility into third-party code, making it difficult to determine if websites and web applications have been compromised.

Many organizations use third-party libraries to speed up development and use the code to enable features like ad tracking, payment integration, chatbots, customer reviews, social media integration, tag management , among others. Because these functions tend to be needed on many types of websites and applications, they are often reused by many organizations, increasing the available attack surface available to attackers when they target these libraries. .

According to the report, 99% of those surveyed said their websites use supply chain vendors or third-party code from vendors who also get code from their partners. Over three-quarters (80%) said third-party scripts made up 50-70% of their website functionality. This exposes most websites to the risks of ghost code.

The lack of visibility of this third-party code is glaring, as nearly half (48%) of those surveyed could not say for sure that their websites had not suffered a cyber attack.

With the risk of third-party libraries, organizations must take steps to prevent their websites and applications from being attacked and any existing vulnerabilities from being exploited. While many turn to WAFs to protect their production applications, there is plenty of evidence that WAFs are less than effective at protecting web applications. The product category known as runtime application security protection, which can protect web applications and their vulnerabilities from real-time exploitation, is often overlooked.

Take a page from NIST to improve application security

Even the National Institute of Standards and Technologies (NIST) recently recognized the need for runtime application security. (GRATED). The latest revision of NIST SP800-53 includes RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing) requirements. This is a first by recognizing these two advances in application security and now requiring them within the framework of security.

In addition, there are a number of simple steps an organization can take to improve the security of its web applications. It all starts at the very beginning of application development, and this helps ensure that developers consider security when developing and coding applications. Second, ensure that software and operating systems are up to date, with the latest updates and fixes to ensure that known vulnerabilities that have fixes are not exploited.

In addition to these two fundamental starts of application security, there is still a need to ensure the security of web applications running in production, especially against threats that are missed or generally not secured by network or system level security. OWASP’s Top 10 Web Application Security Risks are a prime example of risks that are typically not protected by network or system level security.

A RASP solution resides on the same server as the application and provides ongoing security for the application during runtime. By running on the same server as the application, RASP solutions ensure continued application security during runtime. For example, as mentioned earlier, a RASP solution has full visibility into the application, so a RASP solution can analyze the execution of an application to validate code execution and can understand the context of the application’s interactions. .

IAST is the other new recommendation for application security from the revised NIST draft, and if you haven’t heard of IAST, there is a good definition available from Optiv.

“IAST is an emerging approach to application security testing that combines elements of its two more established brothers in SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing). IAST instruments the application binary which can allow both DAST type confirmation of the success of the exploit and SAST type coverage of the application code. In some cases, IAST allows security testing as part of the general application testing process, which offers significant benefits to DevOps approaches. IAST has the potential to conduct tests with fewer false positives / negatives and a higher speed than SAST and DAST.

With these two new requirements (RASP and IAST) for application security added to the NIST framework, it is really time to rethink the way your organization handles application security.

At K2 Cyber ​​Security, we would like to help you with your RASP and IAST requirements. K2 offers an ideal runtime protection security solution that detects true zero-day attacks, while generating the fewest false positives and alerts. Rather than relying on technologies such as signatures, heuristics, fuzzy logic, machine learning or AI, we use a deterministic approach to detect true zero-day attacks, without limiting ourselves to detecting attacks based on prior attack knowledge. Deterministic security uses application runtime validation and verifies that API calls are working as expected by code. No prior knowledge of an attack or the underlying vulnerability is used, giving our approach the true ability to detect new zero-day attacks. Our technology has 8 granted / pending patents, and has no false alerts.

We also recently released a video, The Need for Deterministic Security. The video explains why the technologies used in today’s security tools, including web application firewalls (WAFs), fail to prevent zero day attacks and how deterministic security meets the need for detect zero day attacks. The video explains why technologies such as artificial intelligence, machine learning, heuristics, fuzzy logic, pattern and signature matching fail to detect true zero day attacks, giving very specific examples of ‘attacks where these technologies work and where they fail to detect an attack.

The video also explains why deterministic security works against true zero day attacks and how K2 uses deterministic security. Watch the video now.

Change the way you protect your apps, include RASP, and verify K2’s app workload security.

Find out more about K2 today by requesting a demo or get your free trial.


Comments are closed.