A recent Aberdeen report looks at how organisations should give first priority to managing active risks and proposed Runtime Application Self-Protection (RASP) as an emerging option for enterprise application security which organisations should consider.
A New Approach For Enterprise Application Security
1. Your Enterprise’s Portfolio of Applications is Essential to Your Business – and it’s Large, Complex and Unwidely
By all measures, the enterprise’s portfolio of applications is essential to its pursuit of its strategic business objectives.
At the same time the typical enterprise portfolio of applications has grown large, complex, and unwieldy. Some of the many dimensions of the volume and complexity of enterprise applications include:
• Traditional enterprise-supported applications number from dozens to hundreds, not to mention the hundreds to thousands of mobile applications – many of them supported but most of them not – that are installed on the smart phones, tablets and laptops of their users.
• The “developed” category of enterprise applications has its own layer of additional complexity, in that these applications may be produced and maintained by internal development teams, by outsourced development teams or systems integrators on the organization’s behalf, by open source communities that these development teams choose to leverage – and most likely, by some mix of all of the above.
• In terms of application delivery platforms, organizations have been eager to gain the flexibility and cost-effectiveness of virtualization and cloud computing – but they have continued to be cautious about how quickly they give up visibility and control, especially over those applications that are more business-critical.
A visual illustration of the size and complexity of the application portfolio for one particular large enterprise is provided in Figure 1, which is based on a snapshot of the consumer-facing applications for a multi-national bank at a specific point in time:
• Each circle represents one of the organization’s 376 unique applications for that line of business
• The size of each circle represents the number of entitlements for each application, and the colour reflects the degree to which these applications can be automatically provisioned.
• Several of these applications can be seen in the horizontal line along the x-axis, where the number of users is equal to one – these are used only by another application, rather than by the end-users consumers.
The key takeaway here is that the enterprise’s portfolio of applications is, by definition, essential to the organization’s pursuit of its strategic business objectives – and yet over time, it has almost certainly grown increasingly large and complex.
2. Where Motive Meets Opportunity : Why Your Enterprise Applications are Under Attack
• Attackers are increasingly going after central, strategic targets as a means to optimize their efforts and increase their return on exploit.
• Servers have typically been on top, probably because attackers know that’s where the data is stored.
The point is driven home in the Verizon 2015 DBIR, which noted that more than 90% of the data breach incidents analysed over the last decade fell into just nine basic attack patterns – and the pattern with the highest number of confirmed data breaches over this period was attacks on web applications.
During the same time period shown in Table 1 (2006-2014), there were a total of 60,879 entries added to the National Vulnerability Database, so mere awareness is not the issue. The real challenge involves figuring out what to do, persuading others that it’s worth doing, actually doing it – and sustaining those activities over time, in rapidly evolving circumstances!
There are eight higher-level capabilities that are enabled by the current list (version 5.1) of the top twenty Critical Security Controls, which Aberdeen has tailored for the present discussion on application security:
1. Understand what applications are in your environment
2. Keep your applications securely configured
3. Keep your applications patched and up-to-date
4. Back up and protect your important data
5. Protect your network
6. Manage your users, their accounts and their access to enterprise applications
7. Maintain visibility into what’s happening in your environment
8. Be in a position to respond when something goes wrong
3. Three Strategies for Securing Your Enterprise Applications – and an Emerging Option to Consider
Organizations leverage three distinct strategies to address the security vulnerabilities that are latent in their enterprise application portfolios, as summarized in Table 2.
The questions that inevitably get raised in these discussions end up being a mix of security, business objectives, total cost and – to some extent – management philosophy.
An Emerging Option: Runtime Application Self-Protection (RASP)
A new approach to securing application has emerged, which is being referred to as runtime application self-protection (RASP).
The concept of RASP is to embed – or as it is sometimes referred to, to instrument – an application’s runtime environment, to provide detailed visibility into what the application is currently being asked to do, in real-time. The key is that this visibility is provided from within the application itself, as opposed to from what is happening on the network.
In addition, the RASP technology is designed to analyse the flow and context within the application itself, to distinguish between normal application behaviours and malicious behaviours.
Based on these capabilities, RASP is providing precisely the kind of threat intelligence that Aberdeen described in Putting Threat Intelligence in Perspective (December 2014), which has at least four noteworthy attributes (Table 3).
If RASP is not yet on your organization’s radar for application security, this analysis would strongly suggest that RASP is an emerging option that you should actively evaluate and consider. As a starting point, some logical dimensions for evaluation include:
• Support for the programming languages used in your organization’s application portfolio
• Accuracy of the solution’s real-time analysis
• Performance of the solution in production applications
Aberdeen Group has been an international research partner of Nebula since 2010. With thousands of research documents, growing daily, Aberdeen’s research library helps enterprises and service providers discover the priorities and strategies of best-in-class enterprises.
Besides Nebula’s insight and research services, we also provide services to help large enterprises assess, optimise and manage their enterprise ICT environments.
Should you be interested in finding out more about Nebula’s services or discussing this research, please send us an email indicating your requirements to ContactUs@nebula.co.za.