Red Hat announced new capabilities and enhancements across its portfolio of open hybrid cloud solutions aimed at accelerating enterprise adoption of edge compute architectures through the Red Hat Edge initiative.
DevOps teams today churn out releases at a rapid pace, and securing these applications is more challenging than ever. Code is continuously changing, and developers must identify and fix security bugs as quickly as possible. Developers need effective tools to help reduce the risk of data breaches while the software development and release machinery is getting faster.
Generally this means a combination of static analysis, pen testing and web application firewalls – all technologies that require deep expertise to manage, need heavy customization on a constant basis, and slow down continuous release. These activities are time consuming and require niche expertise that few DevOps teams have.
At the same time, attackers are developing new strategies, and application vulnerabilities arising from legacy code are on the rise. A new report from research firm Securosis reveals that when it comes to security, DevOps teams are searching for better solutions. The report explores how an emerging technology, Runtime Application Self-Protection (RASP), provides a simpler and more effective alternative to legacy web application security tools.
The report, Understanding and Selecting Runtime Application Security and Protection, explores how DevOps teams currently address application security issues, examining the shortcomings of the current approach. Securosis notes that DevOps teams are increasingly charged with managing security and are now actively involved in selecting web application security solutions. They’re searching for automated solutions that mesh with continuous integration and continuous deployment methods, and integrate well with existing developer tools.
Moving from “Security Bolted On” to “Security from Within”
RASP solutions work by examining requests at the application layer to detect attacks and misuse in real time. They fit well into the agile development process because they’re flexible and fast. Furthermore, RASP works inside the application, meaning it can go wherever the application goes. As Securosis highlights, RASP offers a distinct blend of capabilities and usability options, making it stand out from traditional web application security solutions. With RASP, the concept of web application security evolves from "security bolted on" to "security from within."
RASP: Protecting Web Apps Before Vulnerabilities are Exploited
It's no secret that applications are vulnerable to attacks. Applications are often tested before launch, then left unsupported, which leaves the door open to security breaches. Traditional solutions such as WAFs and static testing are insufficient for today's agile development and DevOps automation environments, especially with new classes of vulnerabilities constantly emerging. The function of RASP is, as the report explains, to protect web applications before these vulnerabilities can be exploited.
Most RASP products will offer protection against the common vulnerabilities of SQL injection, Cross Site Scripting, and Remote Command Execution. Some RASP products are also particularly effective in addressing Account Takeover (ATO) attacks. ATO attacks, in which hackers access user account credentials, are the most common cyber attack vector today. In these attacks, hackers obtain session or password information, then sell these credentials for profit or use them to further penetrate corporate networks and commit fraud.
Addressing the Complex Account Takeover Threat
There are a multitude of ways in which Account Takeovers happen, from attackers guessing credentials using credential information leaked off other sites, bruteforcing passwords or session IDs, or even tried-and-true cross-site scripting (XSS). To truly reduce the risk of account takeovers, organizations need a solution that addresses the multitude of ways in which such attacks occur. RASP is positioned to address these risks: every time a user logs in, the RASP knows if their login behavior matches their normal behavior. It knows if one user is generating an abnormal number of sessions, for example. Because it can operate at the user level (instead of at the IP address layer, like most network firewall devices). It can then take protective actions, such as serving captchas or blocking just that one user account.
The move to real-time web application protection provides major advantages to developers and security engineers. The challenge becomes how to integrate innovative new technologies into the security mix, ensuring all the pieces are in place from pre-launch to post-launch. RASP solutions are simple to install and work effectively alongside other security tools including static testing and WAFs.
As attackers become more sophisticated, protection plans must too. No longer can organizations only protect their applications from the perimeter. Solutions that sit inside the application must be implemented to ensure security happens at the same speed as development.
Zaid Al Hamami is Co-Founder and CEO at IMMUNIO.
Industry News
Kasten by Veeam announced the new Kasten by Veeam K10 V5.0 Kubernetes data management platform.
Red Hat introduced Red Hat Enterprise Linux 9, the Linux operating system designed to drive more consistent innovation across the open hybrid cloud, from bare metal servers to cloud providers and the farthest edge of enterprise networks.
Copado added Copado Robotic Testing to Copado Essentials.
Red Hat announced new advancements within its Red Hat Cloud Services portfolio, delivering a fully-managed and streamlined user experience as organizations build, deploy, manage and scale cloud-native applications across hybrid environments.
JFrog introduced a new Docker Desktop Extension for JFrog Xray that allows organizations to automatically scan Docker Containers for vulnerabilities and violations early in the development process.
Progress announced a series of updates in Progress Telerik and Progress Kendo UI.
Vultr announces that Vultr Kubernetes Engine (VKE) is generally available.
Docker announced new features and partnerships to increase developer productivity. Specifically, the company announced Docker Extensions which allow developers to discover and add complementary development tools to Docker Desktop.
Red Hat announced the general availability of Red Hat Ansible Automation Platform on Microsoft Azure, pairing hybrid cloud automation with the convenience and support of a managed offering.
The Fedora Project, a community-driven open source collaboration sponsored by Red Hat, announced the general availability of Fedora Linux 36, the latest version of the fully open source Fedora operating system.
Progress announced the release of Progress Chef Cloud Security, extending DevSecOps with compliance support for native cloud assets and enabling end-to-end management of all on premise, cloud and native cloud resources.
Platform9 announced new platform capabilities in Platform9 5.5 that make it easier for cloud-native development and operations teams to build, scale, and operate apps and Kubernetes clusters in the cloud, on-premises, and at the edge.