The document discusses how conventional application security testing tools often fall short and how the Virsec Security Platform aims to address these shortcomings by combining advanced attack simulation, intelligent fuzzing, and runtime application protection to provide end-to-end security across the development and production cycles.
The document discusses how conventional application security testing tools often fall short and how the Virsec Security Platform aims to address these shortcomings by combining advanced attack simulation, intelligent fuzzing, and runtime application protection to provide end-to-end security across the development and production cycles.
The document discusses how conventional application security testing tools often fall short and how the Virsec Security Platform aims to address these shortcomings by combining advanced attack simulation, intelligent fuzzing, and runtime application protection to provide end-to-end security across the development and production cycles.
The document discusses how conventional application security testing tools often fall short and how the Virsec Security Platform aims to address these shortcomings by combining advanced attack simulation, intelligent fuzzing, and runtime application protection to provide end-to-end security across the development and production cycles.
and Runtime Protection to Enable End-to-End Security for DevOps Many organizations are embracing the mindset of continuous integration and continuous deployment (CI/CD) to improve the quality of software delivery. At the center of this model is the Shift Left strategy that aims to embed continuous application testing into the SDLC process to address vulnerabilities early in development cycles. While this concept is good, current testing tools often come up short, adding tedious testing, imprecise results, and floods of false alerts that must be chased down manually. These tools often don’t accurately replicate production environments and require extensive pen testing and analysis skills.
The Vulnerability Tsunami
Conventional software testing tools can only detect known vulnerabilities that have been reported, categorized and been addressed with patches. But developers are increasingly challenged by an explosion of vulnerabilities in complex code stacks, third-party tools and libraries. In January 2020, over 700 new vulnerabilities per day were reported in open source and COTS applications into the US-CERT National Vulnerability Database. Businesses that rely on conventional scanning, penetration testing and patching simply can’t keep up with this vulnerability tsunami.
Application Testing Strategies Often Come Up Short
Continuous testing to deliver high-quality, low-risk applications quickly is essential for enterprise DevOps and SecOps teams. However, many organizations find it difficult to incorporate effective security testing that scales and keeps up with production schedules. With the drive to push software through rapidly and the complexity of setting up application testing environments, then scaling manual analysis, while managing lengthy testing cycles, Shift Left strategies often skip vital security testing steps and fail to address real-world threats. The responsibility of writing tests during development often falls on the developer, who focuses on validating the correctness of the code and the desired end-user experience rather than exploitable software errors. Under the guise of Shift Left, misconfigurations, unresolved vulnerabilities, and other flaws remain, exposing high-functioning applications to exploit, breaches, or malfunctions.
Complexity of Code Adds Security Challenges
As the complexity of applications continues to grow, efforts to find and fix security flaws early in development is significantly more challenging. Applications developed in-house now have millions of lines of code, often comprised of many layers of software developed and maintained by an army of programmers. Mission critical applications might include a new veneer facing the web, that is reliant upon code that has been evolving for years. These new layers must inherently trust the older layers underneath, while being exposed to security flaws and bugs in older code that did not anticipate modern attacks. Additionally, developers extensively leverage 3rd-party code, libraries and components that are all prone to vulnerabilities. Creating new innovative software quickly, while managing security, identifying vulnerabilities and testing every permutation of what machines and users might do, is daunting for most development teams.
Evaluates the source code as it is written, identifying vulnerabilities. Lacks the ability to identify unexpected and unwanted behavior that occurs when the app is run in a complex runtime environment. Typically produces numerous false positives.
• DAST (Dynamic Application Security Testing)
Evaluates (or crawls) the application while running and identifies compliance and security problems in code. Does not show how the application behaves in runtime environments.
• RASP (Runtime Application Self-Protection)
Analyzes inbound traffic, regex and user behavior while the application is running.
• IAST (Interactive Application Security Testing)
Combines RASP and DAST capabilities to give insight into the application’s logic flow, data flow and configuration.
Overall these tools all share common shortcomings because they typically:
• Produce floods of false positives that must be chased down manually,
• Deliver vague recommendations that don’t pinpoint software flaws or help prioritize vulnerabilities,
• Work on fully assembled applications – not early in the SDLC,
• Require deep analytical pen testing skills,
• Don’t scale, requiring huge amounts of tedious and intense manual labor.
Virsec capabilities compared with conventional testing tools
Comprehensive Protection Across the DevSecOps Cycle
The DevSecOps cycle is often shown as a continuous loop, with coding, implementation and deployment on the development side feeding seamlessly into configuration, detection, protection, and remediation on the production side. While this type of closed-loop cycle makes sense, it has typically required a range of point solutions that don’t work well together or provide feedback from production back to development teams.
The Virsec Security Platform (VSP) is the first solution to provide continuous and holistic protection across this cycle, from development through production including:
• Forensics Detecting flaws in software or 3rd-party tools that can be exploited, regardless of whether existing vulnerabilities have been discovered.
• Web Attack Simulator
Uses a library of advanced payloads and intelligent fuzzing to detect flaws in software or 3rd-party tools that can be exploited, regardless of whether existing vulnerabilities have been discovered.
• Security Configuration Enables developers to automatically configure applications for continuous protection during production.
• Security Analytics Detects advanced fileless and zero-day threats without using signatures, regardless of whether existing vulnerabilities have been discovered.
• Web Application Protection
Analyzes the entire HTTP pipeline to identify attacker input that can be weaponized at runtime to produce malicious code.
• Runtime Protection – Production
Detects illicit application activity within milliseconds and takes protection actions to stop attacks at the first step of the kill chain.
• Ticketing Collects detailed, actionable forensics and integrates with enterprise ticketing systems like JIRA to track SDLC remediation.
Through our research and advanced detection tools, Virsec has compiled an extensive library of specialized payloads that map to CAPEC standards. These are combined with multiple obfuscation techniques, such as single, double and mixed encoding, to test applications against the widest range of simulated attacks.
Intelligent Fuzzing Virsec automates testing, injecting thousands of combinations of URLs, parameters, obfuscation techniques, and OWASP threats, stress testing every user input of the HTTP packet. Specialized payloads are added into the HTTP request line, parameters, query strings, fragments, headers and key-value pairs. This delivers code coverage, diversity, and entropy testing far beyond the capabilities of manual penetration testing.
Virsec Attack Simulator and Application Protection workflow
Application Runtime Protection
Using Virsec’s advanced runtime instrumentation technology, embedded controls instantly detect if the application is generating attacker-influenced code for execution on downstream interpreters. Unlike RASP tools, Virsec puts the whole picture together with stateful analysis of complete web transactions, including responses across web servers, app servers, and backend
The solution automatically generates comprehensive reports with critical detail including the risk score for developers and application owners. These reports precisely pinpoint code flaws with rich contextual attack-related meta data. This enables developers to prioritize remediation efforts, while letting businesses make smart decisions about the risk levels of deployed applications. The solution integrates seamlessly with enterprise ticketing systems such as JIRA, while producing detailed forensic data for 3rd-party GRC solutions.
Detailed testing reports identifies flaws and risk scores
Testing analysis shows pinpoints exactly where code is vulnerable
The Virsec Security Platform not only detects attacks – it can take a wide range of protection actions to stop attacks within milliseconds at the very first step in the attack kill chain. Virsec is the only testing solution that continuously monitors and protects applications during runtime, and new threats detected during runtime can be automatically reported back to development teams for ongoing remediation.
Built for the Cloud and Containers
Virsec Application Runtime Protection will work seamlessly across public/ private/ hybrid clouds as well as different virtualization types such as containers, VMs or physical machines. While containers provide more flexibility and modularity, they also add additional attackable surfaces with complex deployment, orchestration and management tools. Once again, Virsec’s continuous runtime protection ensures that vulnerabilities in container tools cannot be exploited in production.
About Virsec Virsec provides a radically new approach to protect against advanced targeted attacks, delivering unprecedented visibility and protection for enterprise applications and industrial controls, from today’s most dangerous threats. Through its unique technology, Virsec definitively prevents attacks that bypass conventional security tools, such as fileless attacks, memory exploits and attacks that weaponize at runtime. Virsec’s patented technology deterministically stops advanced attacks in real-time, delivering unprecedented accuracy, while eliminating false positives. The solution provides virtual patching and compensating controls for any application, whether new, legacy, or un-patchable.
