Typically, the method of dealing with SQL injection attacks is to install a firewall in learning mode and train it to recognize attacks. This is far from perfect, but until now it’s been the only way. However, there are now claims that this has been solved with a cutting-edge approach using RASP: Runtime Application Self-Protection.
One company in Ireland, Waratek, tasked a leading security protection organization to try and ‘break’ its software – using advanced contractor, attack vectors bypassing firewalls, and very advanced exploitation attempts. Each and every try failed though. The new protection seems to work despite initial skepticism, says Eoin Keary, founder of the BCC Risk Advisory in a write-up by Maria Korolov in CS Online.
The approach taken by Waratek is a highly unconventional way of protecting web applications from SQL injections, ignoring the process of whitelisting and blacklisting altogether. Research by Gartner suggests that less than 1% of web and cloud applications use a self-protecting technology today, but by 2020 this could be as high as 25%.
The basic idea is for it to sit inside the Java Runtime Environment and ‘watch’ the application to see what it is going to do with the data. Waratek CEO Brian Maccaba says, “All existing applications only see half of that … they don’t know for certain what the data stream is going to do, which leads to high levels of inaccuracy.” The trick, then, is to eliminate huge amounts of false-positive logs. The time saved by security administrators through not having to slog through these logs allows much more legitimate traffic through.
The greatest asset of this approach is that the attack surface itself is reduced, simply by moving the protection to the application. Every test carried out so far has had an astounding 100% success rate. This applies not just to tests by BCC Risk Advisory, but by Deutsche Bank, another Waratek customer.
Further to blocking SQL injection attacks, the application can also collect forensic information, including the exact character sequence that compromised the SQL query, the IP address, login and other crucial information required to track down the source of the attack. Even better, the SQL injection protection can be used during the development cycle, testing the applications even as they are written.
The only downside is that, at the moment, it only works within applications that can run inside Java Virtual Machines – limiting it to Java and a small number of other languages like JRuby or JPython. However the intention is to apply the technology to .Net in the future, allowing cover for around 90% of server-side applications.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”