To meet the growing demand for Oracle Container Engine for Kubernetes (OKE) with global organizations, Oracle Cloud Infrastructure (OCI) is introducing new capabilities that can boost the reliability and efficiency of large-scale Kubernetes environments while simplifying operations and reducing costs.
DevOps teams today churn out releases at a rapid pace, and securing these applications is more challenging than ever. Code is continuously changing, and developers must identify and fix security bugs as quickly as possible. Developers need effective tools to help reduce the risk of data breaches while the software development and release machinery is getting faster.
Generally this means a combination of static analysis, pen testing and web application firewalls – all technologies that require deep expertise to manage, need heavy customization on a constant basis, and slow down continuous release. These activities are time consuming and require niche expertise that few DevOps teams have.
At the same time, attackers are developing new strategies, and application vulnerabilities arising from legacy code are on the rise. A new report from research firm Securosis reveals that when it comes to security, DevOps teams are searching for better solutions. The report explores how an emerging technology, Runtime Application Self-Protection (RASP), provides a simpler and more effective alternative to legacy web application security tools.
The report, Understanding and Selecting Runtime Application Security and Protection, explores how DevOps teams currently address application security issues, examining the shortcomings of the current approach. Securosis notes that DevOps teams are increasingly charged with managing security and are now actively involved in selecting web application security solutions. They’re searching for automated solutions that mesh with continuous integration and continuous deployment methods, and integrate well with existing developer tools.
Moving from “Security Bolted On” to “Security from Within”
RASP solutions work by examining requests at the application layer to detect attacks and misuse in real time. They fit well into the agile development process because they’re flexible and fast. Furthermore, RASP works inside the application, meaning it can go wherever the application goes. As Securosis highlights, RASP offers a distinct blend of capabilities and usability options, making it stand out from traditional web application security solutions. With RASP, the concept of web application security evolves from "security bolted on" to "security from within."
RASP: Protecting Web Apps Before Vulnerabilities are Exploited
It's no secret that applications are vulnerable to attacks. Applications are often tested before launch, then left unsupported, which leaves the door open to security breaches. Traditional solutions such as WAFs and static testing are insufficient for today's agile development and DevOps automation environments, especially with new classes of vulnerabilities constantly emerging. The function of RASP is, as the report explains, to protect web applications before these vulnerabilities can be exploited.
Most RASP products will offer protection against the common vulnerabilities of SQL injection, Cross Site Scripting, and Remote Command Execution. Some RASP products are also particularly effective in addressing Account Takeover (ATO) attacks. ATO attacks, in which hackers access user account credentials, are the most common cyber attack vector today. In these attacks, hackers obtain session or password information, then sell these credentials for profit or use them to further penetrate corporate networks and commit fraud.
Addressing the Complex Account Takeover Threat
There are a multitude of ways in which Account Takeovers happen, from attackers guessing credentials using credential information leaked off other sites, bruteforcing passwords or session IDs, or even tried-and-true cross-site scripting (XSS). To truly reduce the risk of account takeovers, organizations need a solution that addresses the multitude of ways in which such attacks occur. RASP is positioned to address these risks: every time a user logs in, the RASP knows if their login behavior matches their normal behavior. It knows if one user is generating an abnormal number of sessions, for example. Because it can operate at the user level (instead of at the IP address layer, like most network firewall devices). It can then take protective actions, such as serving captchas or blocking just that one user account.
The move to real-time web application protection provides major advantages to developers and security engineers. The challenge becomes how to integrate innovative new technologies into the security mix, ensuring all the pieces are in place from pre-launch to post-launch. RASP solutions are simple to install and work effectively alongside other security tools including static testing and WAFs.
As attackers become more sophisticated, protection plans must too. No longer can organizations only protect their applications from the perimeter. Solutions that sit inside the application must be implemented to ensure security happens at the same speed as development.
Zaid Al Hamami is Co-Founder and CEO at IMMUNIO.
Industry News
Perforce Software joined the Amazon Web Services (AWS) Independent Software Vendor (ISV) Accelerate Program and listed its free Enhanced Studio Pack (ESP) in AWS Marketplace.
Aembit, an identity platform that lets DevOps and Security teams discover, manage, enforce, and audit access between federated workloads, announced its official launch alongside $16.6M in seed financing from cybersecurity specialist investors Ballistic Ventures and Ten Eleven Ventures.
Hyland released Alfresco Content Services 7.0 – a cloud-native content services platform, optimized for content model flexibility and performance at scale.
CAST AI has announced the closing of a $20M investment round.
Check Point® Software Technologies introduced Infinity Global Services, an all-encompassing security solution that will empower organizations of all sizes to fortify their systems, from cloud to network to endpoint.
OpsCruise's Kubernetes and Cloud Service observability platform is certified to run on the Red Hat OpenShift Kubernetes platform.
DataOps.live released an update to the DataOps.live platform, delivering productivity for data teams.
CoreStack and Zensar announced a strategic global partnership. CoreStack will provide its AI-powered NextGen cloud governance and FinOps capabilities, complementing Zensar’s composable cloud operations offering.
Delinea introduced the Delinea Platform, a cloud-native foundation for Delinea's PAM solutions that empowers end-to-end visibility, dynamic privilege controls, and adaptive security.
Sysdig announced a new foundation that will serve as the long-term custodian of the Wireshark open source project.
Talend announced the latest update to Talend Data Fabric, its end-to-end platform for data discovery, transformation, governance, and sharing.
Descope has raised $53M in seed funding and emerged from stealth to launch a frictionless, secure, and developer-friendly authentication and user management platform.
Loft Labs announced Loft v3 with new capabilities and flexibility for platform teams to build and enable their development teams with a self-service Kubernetes.
AWS Application Composer is now generally available.