1 Put a Firewall in Your JVM Securing Java Applications! Prateep Bandharangshi" Waratek Director of Client Security Hussein Badakhchani" Deutsche Bank Ag London Vice
3 Several former Home Depot employees said they were not surprised the company had been hacked. They said that over the years, when they sought new software and training, managers came back with the same response:! "! We sell hammers! - New York Times, September 19, 2014"
4 There are over 1,000 different types of software weaknesses, most of which are impossible for developers to avoid without training and development support! State of Developer Application Security Knowledge" Aspect Security, September 2014"
5 More Secure Application Coding Cannot Solve the Problem" Relatively little application code is written and controlled by the enterprise" 3 rd party libraries heavily used and often open sourced" Application servers and frameworks (JBOSS, Websphere, Weblogic, Tomcat, etc.)" Java APIs " Purchased software packages" None of these are written and maintained by the enterprise, creating substantial exposure" Customer Business Logic (WARs, EJBs) 3 rd Party Libraries (JARs) App Servers, Frameworks (JEE) Java APIs (JRE) Java VM Layer OS / Network
6 Source: 2014 Sonatype Open Source and Application Security Survey
8 Struts2 CVEs" The struts2 framework has had 10 CVEs issued in the last two years with a CVSS score of 9 or 10" CVE = Common Vulnerabilities and Exposures" CVSS = Common Vulnerability Scoring System"
9 Legacy Java" Most enterprises have large numbers of applications running on older, legacy Java versions" Updating these apps to the current Java edition is often risky, time consuming, and expensive"
10 JVMs themselves are not secure" Java Code" Application" Dependencies" Security Manager" JVM" JNI" C/C++ Code" The JVM itself performs NO security checks." All enforcement is through the Java API s and the Security Manager (SM) levels." If the SM is compromised or not even enabled then the JVM can be instructed to do ANYTHING." The JVM doesn t question when your app starts to:" Delete files, open sockets, fork processes, change file permissions, insert SQL parameters, reflect classes etc."
11 Java Containers" Waratek provides containment and isolation technology for Java built on top of Oracle Hotspot" A Java Virtual Container is an in-jvm container with built in security and resource controls" Java containers boot their own JRE inside them which can be different to the host JRE version" JVC-1" JVC-2" JVC-3" Java VM" Java Containers have elastic resources that can be changed at runtime. Resources such as memory, CPU, bandwidth and file I/O."
12 Java Containers monitor all activity" Java Code" Waratek Container" Application" Dependencies" Security Manager" Waratek" JVM" Process Container" The container layer gets to inspect every call the application and its dependent libraries need to make." The calls can then be checked against rules, any suspicious behavior is then logged." We can also isolate untrusted JNI code by isolating the library within its own process container at the OS level." Everything is local to the JVM so there is very low overhead." No agents or code changes are required." " JNI" C/C++ Code"
13 Rules cover all application aspects" Language rules:" Class loading class or package level." Class linking any defined class." Reflection from variable to package level." Throwable exception classes." Input Output rules:" File any file I/O." Network any network I/O." Other rules:" Native code accessing JNI." Process execution starting external processes." External attack vectors:" SQL injection." Tooling support makes rule customization simple."
14 What a Container Rule File Looks Like" # Example file rules file:read:/etc/:deny:warn file:read:/etc/passwd:allow:warn file:exec:*:deny:warn # Example networks rules network:connect:www.google.com::deny:warn network:accept:localhost::deny:warn # SQL injection mitigation for Oracle PL/SQL sql:database:oracle:deny:warn # Virtual patch rule for an Apache Struts2 vulnerability reflect:class:com.opensymphony.xwork2.ognl.securitymemberaccess:method :setallowstaticmethodaccess(z)v:deny:warn
15 Rules can secure any Java version" Java SE 5 Container" Java SE 5 Application" Java SE 5 JRE" Waratek" Java VM" SE 7" Java SE 5 Exploit" Network" This approach to legacy Java has two key advantages, first no changes to the application:" The application does not see an API change." Deprecated calls still function." Serialized objects still function." The application is still using the API it was first tested against." Second, externally the world can move on:" Administration is on an up-to-date SUPPORTED platform." The surrounding infrastructure can be updated."
16 SQL Injection" " " " " " " String id = request.getparameter("id"); String sql = "SELECT * FROM users WHERE id = '" + id + "'";
17 SQL Injection" OR 1=1-- SELECT * FROM users WHERE id = '1' OR 1=1--'
18 Stopping SQL Injection" Java Containers automatically perform runtime taint-tracking without any changes to application code" Taint-tracking marks as untrusted all user-input data to a Java app (like HTTP request parameters) in real-time" When untrusted user-input data is passed to an SQL query, syntactic analysis is used to accurately and reliably detect SQL injection" When SQL injection is detected, the Java Container gracefully rejects the unsafe SQL query and the application continues un-exploited" No tuning" No regex" No false positives" No code changes"
20 Runtime Application Self Protection (RASP)" Applications should be capable of self-protection that is, have protection features built into the application runtime environment. " " [ RASP solutions ] possesses the maximum information necessary to make the most accurate detection or protection decision.!! - Gartner"
21 Agenda 1 Securing Legacy Java DAP Secure Legacy Java 2 Virtual Patching Waratek s Application Firewall 3 Application Security Lock down the application Deutsche Bank Enterprise Architecture
22 Agenda 1 Securing Legacy Java DAP Secure Legacy Java 2 Virtual Patching Waratek s Application Firewall 3 Application Security Lock down the application Deutsche Bank Enterprise Architecture
23 Securing Legacy Java Using the Waratek Cloud VM in conjunction with DAP, the immediate risks posed by legacy applications can be mitigated and a route for the upgrade and future sustained management of the application can be established. Applications will be quarantined without need of code changes or transformation and once the upgrades to new versions of Java have been tested the application is promoted to production. Quarantine with Waratek VM Deutsche Bank Enterprise Architecture
24 Securing Legacy Java Applications will be have their legacy JVMs upgraded and tested on the DAP Secure Legacy Java infrastructure and once all tests have successful been passed the application will be promoted to the DAP Production Cluster. Sustain and Maintain with DAP Deutsche Bank Enterprise Architecture
25 Securing Legacy Java No code changes required to deploy legacy Java applications to new version of host Waratek VM. Application Firewall protects against a large number of attack with just a handful of rules. Guest host JVM can be patched using Virtual Patching (no downtime or release cycle) Ultimately this is a more economic, rapid and safer option than traditional upgrade approaches. Deutsche Bank Enterprise Architecture
26 Agenda 1 Securing Legacy Java DAP Secure Legacy Java 2 Virtual Patching Waratek s Application Firewall 3 Application Security Lock down the application Deutsche Bank Enterprise Architecture
27 Virtual Patching Uses the Waratek Application Firewall to patch applications for new security vulnerabilities that have been identified. Eliminates the dependency on a full release cycle to patch an application. Applications can be patched dynamically in situ (no application, container or JVM restart). Applications can be patched far more quickly giving a more rapid response to security vulnerabilities. Reduces the disruption caused to application teams from unscheduled patching events. Ultimately this a far more cost effective way to manage the patching of applications for newly identified security vulnerabilities. Deutsche Bank Enterprise Architecture
28 Agenda 1 Securing Legacy Java DAP Secure Legacy Java 2 Virtual Patching Waratek s Application Firewall 3 Application Security Lock down the application Deutsche Bank Enterprise Architecture
29 Application Security Configure the Waratek Application Firewall to prohibit Java Classes, Packages and APIs. Lock down disk, network and OS resources with ease in side the JVM. Warn on indicators of intrusion. Prevent Cross Site Scripting, SQL Injection and other common attacks. The costs of remediating identified security vulnerabilities in our applications is greatly reduced by eliminating the need to refactor code. Deutsche Bank Enterprise Architecture
30 Summary" Secure coding is complex, time consuming and very difficult to get right" Many applications have potential risks associated with imported components" Legacy applications running on Legacy Java versions are very widespread" Application Security controls are ideally placed inside the JVM" Java Containers enable Run Time Application Self Protection"
The Evolution of Enterprise Application Security Why enterprises need runtime application self-protection 2 Abstract Enterprise information security encompasses a broad set of disciplines and technologies,
A Survey on Virtual Machine Security Jenni Susan Reuben Helsinki University of Technology email@example.com Abstract Virtualization plays a major role in helping the organizations to reduce the operational
Securing Enterprise Applications Version 1.1 Updated: November 20, 2014 Securosis, L.L.C. 515 E. Carefree Highway Suite #766 Phoenix, AZ 85085 T 602-412-3051 firstname.lastname@example.org www.securosis.com Author
Special Publication 800-125 Guide to Security for Full Virtualization Technologies Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Paul Hoffman NIST
Monitoring and Diagnosing Applications with 4.0 Mark W. Johnson IBM Corporation The (Application Response Measurement) standard provides a way to manage business transactions. By embedding simple calls
Virtual Patching: Lower Security Risks and Costs A Trend Micro White Paper, 2012 Trend Micro Deep Security Trend Micro, Incorporated» Hundreds of software vulnerabilities are exposed each month, and timely
Trend Micro Deep Security Server Security Protecting the Dynamic Datacenter A Trend Micro White Paper August 2009 I. SECURITY IN THE DYNAMIC DATACENTER The purpose of IT security is to enable your business,
Andy Davis Akamai Technologies 1400 Fashion Island Blvd San Mateo, CA 94404 EdgeComputing: Extending Enterprise Applications to the Edge of the Internet Jay Parikh Akamai Technologies 1400 Fashion Island
Top 10 Most Common Java Performance Problems Top 10 Most Common Java Performance Problems Table of Contents Introduction... 3 Database... 4 1. Death by 1,000 Cuts: The Database N+1 Problem... 5 2. Credit
Plug Into The Cloud with Oracle Database 12c ORACLE WHITE PAPER DECEMBER 2014 Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only,
How to Deliver Resilient, Secure, Efficient, and Easily Changed IT Systems in Line with CISQ Recommendations Pragmatic recipes to ensure the full compliance of custom built IT systems with rules and measures
An Oracle White Paper April 2010 Application Performance Management with Oracle Enterprise Manager 11g Introduction... 1 Top Challenges of Application Performance Management... 2 Oracle s Application Performance
Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, Giovanni Vigna UC Santa Barbara Santa
Institute of Parallel and Distributed Systems University of Stuttgart Universitätsstraße 38 D 70569 Stuttgart Diplomarbeit Nr. 3242 Data security in multi-tenant environments in the cloud Tim Waizenegger
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Migration Planning Kit Microsoft Windows Server 2003 This educational kit is intended for IT administrators, architects, and IT managers. The kit covers the reasons and process you should consider when
Application Performance Management for Enterprise Applications White Paper from ManageEngine Web: Email: email@example.com Table of Contents 1. Introduction 2. Types of applications used
Oracle Whitepaper June 2013 An Oracle White Paper June 2013 Oracle Multitenant plug into the cloud with oracle database 12c Disclaimer The following is intended to outline our general product direction.
January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...
Microsoft System Center 2012 R2 Why Microsoft? For Virtualizing & Managing SharePoint July 2014 v1.0 2014 Microsoft Corporation. All rights reserved. This document is provided as-is. Information and views
Multi-Layered VoIP Security A DefensePro White Paper - Avi Chesla, VP Security Table of Content Abstract...3 What is VoIP...3 VoIP Protocols...4 VoIP Architecture...4 The VoIP Market & Standards...6 The
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
What s New in Oracle SOA Suite 12c O R A C L E W H I T E P A P E R J U L Y 2 0 1 4 Disclaimer The following is intended to outline our general product direction. It is intended for information purposes
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
An Oracle White Paper June 2013 Oracle Real Application Clusters One Node Executive Overview... 1 Oracle RAC One Node 12c Overview... 2 Best In-Class Oracle Database Availability... 5 Better Oracle Database
Payment Card Industry (PCI) Data Security Standard Approved Scanning Vendors Program Guide Version 2.0 May 2013 Document Changes Date Version Description February 11, 2010 1.0 May 2013 2.0 Approved Scanning