INVITED ESSAY: The Many Benefits of Infusing Application Security During Software “Runtime”

INVITED ESSAY: The Many Benefits of Infusing Application Security During Software “Runtime”

Vulnerabilities in web applications are the leading cause of high-profile breaches.

Related: The great Log4J lesson

Log4j, a widely publicized zero-day vulnerability, was first identified in late 2021, but security teams are still racing to patch and secure their business applications and services. This high-profile incident highlights the security risks associated with open source software and the challenges of protecting web applications against zero-day attacks.

DevOps Connection: DevSecOps @ RSAC 2022

To improve web application security, there are basic steps an organization should follow:

•Security testing earlier in the development cycle

•Ensure software and operating systems are up to date and patched

•Use a multi-layered defense-in-depth approach.

However, the most significant protection against zero-day and other attacks comes from using security technologies that closely mirror how your application works. Security solutions, such as runtime application protection, provide the context, visibility, and control to identify and block new zero-day attacks launched against your applications.

How the ‘runtime’ works

Unlike traditional endpoint and network security solutions, such as EDR and WAF, which sit at the edge of the network, a runtime security tool, sometimes called Runtime Application Self-Defense (TO SCRAPE), is located on the same server as the application and provides ongoing security and protection for the application while it is running.

With complete application visibility, a runtime solution can directly understand application control and execution flows, and constantly monitor and analyze an application’s execution to validate that code is working properly. By continually assessing vulnerabilities in instrumented code in real time, you have the context to identify new zero-day attacks as soon as they occur.

By contrast, traditional security tools that sit further from the application lack full insight and visibility. Such tools must rely on pattern matching, machine learning, and signatures from previous attacks, leading to many false alerts and, more importantly, missed zero-day attacks.

Runtime security technology also provides greater context and visibility into attack parameters, allowing runtime tools to identify exactly where the vulnerability is in the code. It can help the developer quickly reproduce the attack, resolve the issue in code, and safely get the application back up and running in production.

Runtime security technologies also provide a final, and perhaps most important, benefit for web applications in production, and that is the ability to block an attack as it occurs.

Unlike matching technologies, which often have false positives, runtime security tools have the advantage of being closer to the application. This provides the context and visibility needed to make decisions about when a vulnerability is real and exploitable, and when an application needs to be protected from attack.

The ability to block vulnerability attacks in running code is especially important when you consider that developers can take a long time to fix, test, and deploy remediated code.

Pre-production scrutiny

The benefit of sitting closer to the application also applies in test environments. While there is a growing emphasis on shifting to the left, or earlier security testing in software development, traditional application testing tools such as DAST Y SAST they often provide an overwhelming number of alerts, including many false positives.

Each of these alerts must be analyzed, which wastes the time of the security team and leads to longer debugging cycles. Without visibility within the application, it is impossible to understand if and exactly where a vulnerability occurs within the code, making remediation of vulnerabilities time-consuming and laborious.


Using a model similar to runtime application security tools, technologies such as Interactive Application Security Testing (IAST) use components that reside on the test server. IAST tools observe application code as it executes and can identify and pinpoint the location of a vulnerability down to the file name and specific line of code, allowing a developer to quickly locate the vulnerability for remediation. .

Some tools, like those of K2 security platform, take the extra step of probing the application to validate and identify only exploitable vulnerabilities and provide an associated severity level. This allows teams to focus on the vulnerabilities that really matter and resolve them quickly.

With deeper visibility, IAST tools give organizations the ability to identify and address valid issues, allowing their developers to work more effectively. Teams can make informed decisions about prioritizing vulnerabilities to remediate, which to defer, and which to release to production, while being assisted in detecting false positives produced by your other tools.

By being closer to the application, the IAST runtime and tools give development and security teams the context, visibility, and control needed to bring secure software to market faster and block sophisticated zero-day attacks before they hit the market. that wreak havoc on your company’s mission-critical business. .

Isn’t it time to get comfortable with your applications?

About the essayist: Pravin Madhani, is co-founder and CEO of K2 Cyber ​​Security. He received his MS in Computer Engineering from UT in Austin and his BS in Electrical Engineering from IIT in Mumbai.

*** This is a syndicated Security Bloggers Network blog from the last watchdog written by bacohido. Read the original post at:

Leave a Comment