Here's the problem: Java is not secure. Here is the solution: sandbox Java apps. Well, it really is not quite that simple, but our First Look this month generated one of those “ah ha!” moments in us when we saw what it was and how it worked.
One of the major issues we face as securty professionals is that application developers are usually tasked with application security and, as we all know, that often does not work as well as we'd like. Application security is difficult, and because new vulnerabilities appear regularly it is very difficult to write truly secure code.
AT A GLANCE
Product Waratek AppSecurity for Java
Price Starts at $1,000 per year per application instance.
What it does Provides a secure virtual environment for running Java applications front-ending databases.
What we liked This is a very nice implementation of RASP (Runtime Application Self Protection), easy to deploy in the development environment, and far more effective than web application firewalls.
That said, we can, of course, write code that covers the big rocks. We can avoid buffer overflows and other common problems with some fairly straightforward coding practices. But there are subtleties – especially in Java – that get by even the most judicious coder. So one approach to protecting Java apps is to better protect the app, not just the code.
Before we hear anyone saying that we are encouraging sloppy coding, let us assure you that such really is not the case. However, the reality is that while attacks evolve once an app has been coded, it stays that way for some period of time. So even the best coding practice can become obsolete instantly with the emergence of new exploits. Before we get into the nuts and bolts of our product for this month, let's take a quick look at an alternative.
The protection of the application from the outside is nothing new. We have application firewalls, for example, that attempt the same approach. However, these may tend toward false positives and certainly are not 100 percent reliable.
Waratek AppSecurity for Java claims to have that problem solved and its solution, as far as we can tell, is pretty solid. The application is containerized in what amounts to its own virtual machine. In fact, Waratek deploys its own hypervisor. But more on that shortly.
AppSecurity for Java is based on a rule set that covers such things as language, I/O and other types of rules. The virtual containers, built on top of Oracle Hotspot, hold the security rules for the container. Those rules are crafted using the tools and the rules engine provided by Waratek. It all sounds pretty simple and, for the user, it is. What this really does, though, is let programmers concentrate on building their applications while the security experts worry about keeping the app safe.
Looking at some sample rules we noticed several that were of immediate interest. In addition to the expected rules for file access and network connections, there was a rule that specifically addressed SQL injection attacks against an Oracle database. There also was a specific rule that provides a virtual patch for the Apache Struts2 vulnerability.
By containerizing the application it can be made to interact with its environment in safe, predictable ways that would be difficult to maintain in the code of the app. Today AppSecurity supports Oracle and MySQL with more databases coming. This is an impressive tool. For example, we saw an application protected by this solution running behind a web application firewall. Even though the firewall was configured properly, we saw attacks get past it and those attacks were stopped by AppSecurity. Moreover, in another example, we saw a web application firewall interpret the phrase “…look at my cat videos and select from your favorites,” as a SQL SELECT FROM statement, blocking the activity. Since AppSecurity is in the Java Virtual Machine with the application itself, it sees everything and can interpret what it sees correctly.
The theory behind AppSecurity, at least in part, is what the Gartner Group calls RASP: Runtime Application Self Protection. The idea behind RASP is that the security is built into the application's Runtime environment. That means that everything the application does or interacts with is monitored. The application is containerized and sits on top of the Java Virtual Machine (JVM) which in turn sits on top of the operating system. The whole thing is neatly encapsulated in a controllable environment that satisfies the RASP paradigm.
Additionally, the application itself does almost no interaction with the external environment. That interaction is performed on its behalf by the JVM and, since AppSecurity manages that environment, the app itself is likewise managed securely.
We liked this tool both for its creative solution to a tough problem and its ease of deployment in the development environment. We see good things ahead for Waratek.