Bolstering API and Application Security in Runtime Environments
August 16, 2023

Bret Settle
ThreatX

Digital transformation initiatives, many propelled by the pandemic, continue to accelerate at a rapid pace. And, as technology advances and user requirements grow, so does the complexity of the modern application stack — with security defenses often struggling to keep pace.

Developers are leveraging a variety of tools, platforms, languages, and services to deliver more sophisticated features and functionality. However, every additional component used to build an application increases the size of the attack surface and the risk of an attack. Threat actors have a greater chance of discovering a vulnerability, misconfiguration, or bug that can serve as a toehold into the environment.

Increasing Complexity Means New Attack Vectors

APIs are key to enabling developers to connect services and transfer data, automate repeatable tasks, or work with mobile devices and cloud. But the rise of APIs has also extended the attack surface and created another avenue for attackers to access the environment.

An increase in containerization and multi-cloud deployments have similarly expanded the attack surface. Containers are highly dynamic, complicating security. In fact, Sysdig recently reported that 63% of container images are replaced within two weeks or less. In multi-cloud environments, maintaining API visibility for each new cloud platform becomes more complex when security teams are tasked with tracking new, changed, insecure, or unmanaged APIs.

Ultimately, this dynamic attack surface, coupled with attackers' increasingly sophisticated methods, has combined to create a scenario in which traditional security methods are no longer sufficient. As attackers are increasingly figuring out security solutions and working around them, it's no longer enough to just analyze HTTP requests.

Lessons Learned from Log4j

Runtime threat protection — or the ability to monitor the environment where an application is executed, then take the necessary action to stop malicious behavior — is becoming critical in today's environment.

Runtime environments face a multitude of risks. Examples include zero-day attacks, remote code execution, when an attacker remotely executes malicious code on the target web server, and Web shells, which enable attackers to access a web server from a web browser remotely.

The Log4j vulnerability highlighted the need for runtime API and application protection. Attackers quickly jumped on this disclosure, and security engineers couldn't deploy patches fast enough. The Log4j vulnerability was targeted at rapid and alarming speed — more than 32% of all scanning activity over the course of a year occurred within the first 30 days of the release of Log4j, and peaked at just 17 days. As organizations responded to the attacks and deployed patches for attack variants, the need for urgent response and the limitations of only observing HTTP requests and response pairs became obvious.

While the HTTP requests provided a lot of information, security engineers were not able to quickly identify what attackers were targeting or what techniques they were using. Identifying and blocking at runtime enables security teams to stop threats immediately, no matter how much attackers try to disguise the intent.

Runtime Threat Protection: An Important Part of API and App Security

The need to protect runtime environments is nothing new. Security teams have turned to runtime protection solutions since the term runtime application self-protection (RASP) was coined in 2014. However, obtaining visibility beyond HTTP has been challenging. RASP solutions required teams to deploy and subsequently manage an agent for every tech stack and component, making deployment burdensome and maintenance untenable.

The agents needed to run constantly, and the high CPU load impacted performance while increasing the cost of running applications. Alternative approaches to obtaining runtime visibility required teams to deploy kernel modules, which essentially meant installing code with root access deep within the kernel. As a result, kernel modules added risk and instability, putting the OS at risk.

Not surprisingly, today, few organizations have real-time visibility into runtime vulnerabilities. A recent study found that only 4% of CISOs have this visibility into containerized production environments.

Security teams today need a solution that:

Is Multi-Layered: Effective protection combines runtime and edge protection to enable a 360-degree ability to detect, track, and block threats to APIs and applications. Achieving this requires a multi-layered approach that starts well before runtime — including scanning for misconfigurations, unrestricted network access, missing role-based access control, and vulnerability assessments.

Offers Visibility into Runtime Environments: Security teams should look for solutions that provide this necessary visibility into runtime environments. These solutions should cover network flows, system calls, and processes. You can't know if an attack is occurring if you can't see it.

Evolve with the Pace of Attacks: While providing the needed protection, solutions should also have the ability to evolve as new types of attacks are discovered. Otherwise, security teams will need to constantly redeploy applications or solutions to receive the latest protections.

Prevent Attacks Before They Start: Ultimately, solutions should enable security teams to shut down or prevent runtime-based attacks from happening altogether by granularly detecting and blocking these threats in real-time. For example, Extended Berkeley Packet Filter (eBPF) — a framework that extends the ability to attach at the kernel level within a Linux environment — isn't a new technology but shows promise in runtime protection. It enables insights into kernel-level data, without modifying the kernel. It can provide data insights beyond typical HTTP, including network flows, process tables, environmental variables, and more.

As organizations adopt new technology, they also need to evolve their security solutions to keep pace. Runtime protection enables organizations to extend their threat detection, ensuring they can detect, track, and block suspicious activity in real time, without slowing developers. With proper protection, organizations can achieve better visibility and protection, and address a number of common threats, such as zero-day attacks, remote access software, and web shells — and ensure they're prepared for the future.

Bret Settle is Co-Founder and Chief Product Officer of ThreatX
Share this

Industry News

September 05, 2024

Red Hat announced the general availability of Red Hat Enterprise Linux (RHEL) AI across the hybrid cloud.

September 05, 2024

Jitterbit announced its unified AI-infused, low-code Harmony platform.

September 05, 2024

Akuity announced the launch of KubeVision, a feature within the Akuity Platform.

September 05, 2024

Couchbase announced Capella Free Tier, a free developer environment designed to empower developers to evaluate and explore products and test new features without time constraints.

September 04, 2024

Amazon Web Services, Inc. (AWS), an Amazon.com, Inc. company, announced the general availability of AWS Parallel Computing Service, a new managed service that helps customers easily set up and manage high performance computing (HPC) clusters so they can run scientific and engineering workloads at virtually any scale on AWS.

September 04, 2024

Dell Technologies and Red Hat are bringing Red Hat Enterprise Linux AI (RHEL AI), a foundation model platform built on an AI-optimized operating system that enables users to more seamlessly develop, test and deploy artificial intelligence (AI) and generative AI (gen AI) models, to Dell PowerEdge servers.

September 04, 2024

Couchbase announced that Couchbase Mobile is generally available with vector search, which makes it possible for customers to offer similarity and hybrid search in their applications on mobile and at the edge.

September 04, 2024

Seekr announced the launch of SeekrFlow as a complete end-to-end AI platform for training, validating, deploying, and scaling trusted enterprise AI applications through an intuitive and simple to use web user interface (UI).

September 03, 2024

Check Point® Software Technologies Ltd. unveiled its innovative Portal designed for both managed security service providers (MSSPs) and distributors.

September 03, 2024

Couchbase officially launched Capella™ Columnar on AWS, which helps organizations streamline the development of adaptive applications by enabling real-time data analysis alongside operational workloads within a single database platform.

September 03, 2024

Mend.io unveiled the Mend AppSec Platform, a solution designed to help businesses transform application security programs into proactive programs that reduce application risk.

September 03, 2024

Elastic announced that it is adding the GNU Affero General Public License v3 (AGPL) as an option for users to license the free part of the Elasticsearch and Kibana source code that is available under Server Side Public License 1.0 (SSPL 1.0) and Elastic License 2.0 (ELv2).

August 29, 2024

Progress announced the latest release of Progress® Semaphore™, its metadata management and semantic AI platform.

August 29, 2024

Elastic, the Search AI Company, announced the Elasticsearch Open Inference API now integrates with Anthropic, providing developers with seamless access to Anthropic’s Claude, including Claude 3.5 Sonnet, Claude 3 Haiku and Claude 3 Opus, directly from their Anthropic account.