Brought to you by:
Enterprise Strategy Group  |  Getting to the Bigger Truth™

TECHNICAL VALIDATION

Secure Applications at Runtime with the Waratek ARMR Security-as-Code Platform

Runtime Code Patching to Prevent Exploits at the Source

By Justin Boyer, IT Validation Analyst; and Tony Palmer, Principal IT Validation Analyst
JULY 2022

Introduction

This ESG report details the evaluation of the Waratek ARMR Security-as-Code platform. We validated Waratek’s ability to protect business applications from attack by updating the code at runtime to eliminate vulnerabilities. Waratek allows businesses to define their desired security state and actively maintains that state to protect business data.

Background

Pushing known vulnerable code is dangerous and leaves organizations open to risk. However, the pressure to deliver business value more quickly than ever drives businesses to “roll the dice” with application vulnerabilities and hope that they can address any vulnerabilities before they are exploited by bad actors. According to ESG research, 79% of companies knowingly push vulnerable code to production, with 48% doing so regularly (Figure 1). In addition, 54% of organizations confirmed that one of the reasons they have pushed code with known vulnerabilities was to meet a critical deadline.
Some turn to web application firewalls (WAFs) or runtime application self-protection (RASP) tools to help mitigate the risk, in the hope that these tools will help them to detect and stop attacks before they reach applications. Since these tools depend on detecting signatures of known attacks, they’re far from foolproof. These techniques are likely to both miss zero-day or unknown attacks and to generate false positives. False positives increase the volume of information security analysts must manage and make it harder to find the real dangers lurking in an environment.
Figure 1. Companies Often Push Known Vulnerable Code to Production, Increasing Risk Exposure

Has your organization ever pushed code to production with known organic vulnerabilities? (Percent of respondents, N=378)

Source: ESG, a division of TechTarget, Inc.

Modern organizations face a difficult challenge. How do they deliver business value to stay competitive without exposing their applications to unnecessary risk?

The Waratek ARMR Security-as-Code Platform

Waratek ARMR is a production-grade security engine designed to provide declarative, cross-platform security for applications and APIs. ARMR (pronounced like armor) uses Security-as-Code to enable security engineers to define a desired security state for applications. Waratek then actively works to maintain that security state at runtime. Waratek defines Security-as-Code as the practice of leveraging machine-readable definition files that use high-level descriptive coding language to automate security behavior at runtime.
Rather than scan network requests to applications looking for signatures of specific attacks, ARMR automatically detects vulnerabilities in application code and fixes them at runtime. As seen in Figure 2, traditional vulnerability remediation requires developers to manually triage vulnerabilities detected by scanning tools, then write and deploy updated code or address the issue in a WAF or RASP solution. There are many gates and steps in the process, slowing down the deployment of safe code. Waratek ARMR provides a single “gateway” that code travels through before being executed by the processor. When ARMR detects a vulnerability in the code—a SQL injection vulnerability, for example—it hot swaps it with code that has been automatically rewritten to close off that vulnerability. The safe instructions are then released for the processor to execute in place of the unsafe ones. A SQL injection attack will be unsuccessful, not because it was blocked, but because the code no longer is vulnerable to it. When this swap occurs, a log entry is made and sent to a SIEM (security information and event management) application for further investigation.
Figure 2. Waratek Protects Applications at Runtime by Swapping in Secure Code

Source: ESG, a division of TechTarget, Inc.

The Waratek ARMR platform is cross-language and cross-platform. Web applications and APIs are protected by declarative rules defined by security engineers based on the risks most likely to impact their applications. These rules can be written in ARMR’s native language (Autonomous Rule Management Runtime) or through the user interface, which will then write the ARMR code based on the rule defined.
When new rules are defined, no redeployment is needed. Waratek will pick up the changes and apply them immediately. New code can be deployed without affecting the security engine, and DevOps processes are not impacted. Instead, the desired security state is defined for the application, forming a protective shield behind which new code is deployed and protected automatically.
Waratek protects applications by fixing the source of exploits: vulnerable code. It’s not detecting attacks that have already happened nor does it block network traffic because of regular expression matches. It removes vulnerable code from the system, so exploits just won’t work.

ESG Technical Validation

ESG investigated Waratek’s ARMR platform, focusing on the declarative nature of the platform, along with how it protects applications by hot-swapping secure code for insecure code at runtime.

Declarative Security-as-Code

What Waratek means by the declarative nature of the platform is that security analysts define the desired security state for the organization’s applications, and Waratek works to keep the environment in that desired state.
SQL injection vulnerabilities commonly lead to data breaches. Figure 3 depicts a successful SQL Injection attack using the popular WebGoat application. WebGoat is an application designed to allow developers to test vulnerabilities commonly found in Java-based applications that use open source components against a known vulnerable platform. In this example, the SQL injection attack is able to pull all data from a database—including sensitive credit card data. Such a breach could cost a business millions of dollars in recovery costs and even more in damage to its reputation. The breach also exposes the business’s customers to identity and credit card theft.
Figure 3. Successful SQL Injection Attack

Source: ESG, a division of TechTarget, Inc.

Using Waratek, administrators define rules to protect applications against these kinds of attacks. ESG observed the ease with which administrators can define ARMR rules with a few clicks through the rule creation UI. Most common rules can be implemented without writing any ARMR code. Figure 4 shows the UI rule creation tool for SQL injection along with the code ARMR writes to implement the rule.
Figure 4. Waratek ARMR Rule Creation

Source: ESG, a division of TechTarget, Inc.

Once the ARMR rule is synced to the Waratek runtime, SQL injection is now impossible. Waratek rewrites the vulnerable code at runtime. No developer intervention is required. The same attack simply returns an error message from the application instead of a database full of sensitive information (see Figure 5). Waratek begins protecting the application immediately after the rule is created without redeploying either Waratek or the application itself.
Figure 5. Waratek Stops the SQL Injection Attack Without Changing the Application Code

Source: ESG, a division of TechTarget, Inc.

The Power if JIT Compilation — For Security-as-Code

In programming, a Just-In-Time (JIT) compiler translates code written by software engineers into the 1s and 0s the computer uses to perform operations. JIT compilers have been built to improve the performance of code at runtime, substituting highly optimized operations for less efficient ones. Waratek ARMR follows the same playbook, but to optimize security. When insecure coding practices crop up in the code, Waratek can swap in more secure code in the same way JIT compilers swap in more efficient code.
Visibility into potential attacks and vulnerabilities remains critical so development teams can learn and security analysts can determine the source of potential attacks. To this end, when a likely attack happens and Waratek hot swaps code, Waratek logs the event, as seen in Figure 6. These logs are easily accessed through Waratek’s administrator interface and can also be sent to the organization’s SIEM of choice.
Figure 6. Waratek Logs Protection Events

Source: ESG, a division of TechTarget, Inc.

Why This Matters

ESG research reveals that the vast majority (79%) of organizations knowingly push vulnerable code to production. Businesses feel pressured to do this by tight deadlines to deliver business value, even though it exposes them to significant risk.
ESG validated that Waratek ARMR protects applications by fixing vulnerable code at runtime. This is a significant departure from traditional methods like regular expressions or pattern matching that attempt to find attacks coming through the pipeline and block them. Waratek’s approach simply makes exploit attempts ineffective.
ARMR policies can be written imperatively to help to mitigate new CVEs (Common Vulnerabilities and Exposures) and CWEs (Common Weakness Enumerations) discovered by the security community. This provides instant protection for all apps.
Waratek Security-as-Code protects all applications across multiple languages and platforms with no code changes required to deploy it. This makes the model more cost-effective than traditional WAF and RASP solutions, so organizations don’t have to pick and choose which applications to protect.

The Bigger Truth

Modern organizations face a significant challenge when addressing application security. They are expected to deliver business value quickly to stay competitive, but without exposing their applications to unnecessary risks. In the real world, most businesses make the difficult choice to deliver unsafe code with the intention of fixing it at some point in the future, preferably before a successful exploit.
Businesses typically use WAFs or RASPs to protect web applications. However, the way these tools are priced, they often become more expensive with each new application they protect, forcing organizations to choose which applications to protect and which to leave open to attack. Also, solutions that rely on pattern matching and regular expressions are prone to creating false positives, filling the security operations center with noise that makes it difficult to uncover the true threats.
Waratek Security-as-Code, powered by ARMR, doesn’t try to guess what activity might be an attack or raise hundreds of alerts for overwhelmed security analysts to dig through. It finds problem code and fixes it at runtime. ARMR can be deployed across all applications with the same configuration and protects them all. You no longer pick and choose which applications to protect. Instead, simply tell Waratek your desired security state, and Waratek maintains it.
Every production environment is different, so it’s important to plan and test Waratek’s capabilities in your own ecosystem. However, a large global company using Waratek in the field has reported that deploying Waratek remediated years of vulnerabilities and updated their out-of-date JRE (Java Runtime Environment) without requiring them to manually change any code. The same customer observed performance improvements for their applications under normal operating conditions and minimal performance impact while under attack compared to their pre-Waratek environment.
Waratek’s core mission is to protect organizations from exploitation via these vulnerable applications. If your organization is looking for mature, accurate, and comprehensive application security for the entire enterprise, ESG believes you should take a serious look at Waratek ARMR Security-as-Code Platform.

This ESG Technical Validation was commissioned by Waratek and is distributed under license from TechTarget, Inc.

All product names, logos, brands, and trademarks are the property of their respective owners. Information contained in this publication has been obtained by sources TechTarget, Inc. considers to be reliable but is not warranted by TechTarget, Inc. This publication may contain opinions of TechTarget, Inc., which are subject to change. This publication may include forecasts, projections, and other predictive statements that represent TechTarget, Inc.’s assumptions and expectations in light of currently available information. These forecasts are based on industry trends and involve variables and uncertainties. Consequently, TechTarget, Inc. makes no warranty as to the accuracy of specific forecasts, projections or predictive statements contained herein.

This publication is copyrighted by TechTarget, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of TechTarget, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact Client Relations at cr@esg-global.com.

The goal of ESG Validation reports is to educate IT professionals about information technology solutions for companies of all types and sizes. ESG Validation reports are not meant to replace the evaluation process that should be conducted before making purchasing decisions, but rather to provide insight into these emerging technologies. Our objectives are to explore some of the more valuable features and functions of IT solutions, show how they can be used to solve real customer problems, and identify any areas needing improvement. The ESG Validation Team’s expert third-party perspective is based on our own hands-on testing as well as on interviews with customers who use these products in production environments.

Enterprise Strategy Group | Getting to the Bigger Truth™

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.