News

Waratek Adds RASP Plug-In to AppSecurity for Java

• By John K. Waters
• October 3, 2016

Application security tools provider Waratek has released a new version of its AppSecurity for Java platform that automatically modernizes the security capabilities of older Java apps with a simple RASP plug-in. AppSecurity's new plug-in-based deployment model eliminates the need to replace the existing Java Runtime Environments (JREs), make changes to application code, use network filters or tune solutions. Applications running on legacy versions of Java inherit all the security and performance improvements associated with Java 8.

Gartner has defined RASP (Runtime Application Self-Protection) as "a security technology built in or linked to an application or app runtime environment, and capable of controlling app execution and detecting and preventing real-time attacks." Waratek's implementation of the technology eliminates the need for code-level changes, application restarts or replacement of the existing Java Virtual Machines (JVMs).

"You're just basically adding a JAR file," explained James Lee, EVP of U.S. operations for the Dublin-based company. "It will automatically containerize the app and apply the benefits of the latest version of Java to the version you are running. If you're running Java 6 or Java 7, it'll pull it up to Java 8 -- seamlessly, as soon as you install and restart."

The virtualization-based AppSecurity product protects the Java Platform attack surface from known and unknown vulnerabilities by virtually applying critical patch updates and security policies at run time, Lee told ADTmag. The product's virtualization-based architecture introduces none performance penalties associated with other RASP products, he said.

Waratek has found its niche in a market overflowing with large enterprises that continue to run custom-developed, mission-critical applications on out-of-date versions of Java, Lee said. Many of those apps can't be taken offline for an upgrade. The company's products make it possible to apply cumulative patches, security and performance enhancements at run time.

"Virtually every large financial institution and enterprise we speak with cites legacy Java security vulnerabilities as their chief concern since they aren't able to take their critical applications offline to apply critical patch updates or upgrade the JRE," said Waratek CTO John Matthew Holt, in a statement. "Combining our unique virtualization architecture with a new plug-in deployment model, we've not only solved the security problem of running older Java applications but also boosted their performance since they inherit all of the benefits of the Java 8 platform."

Adding to the problem until recently was Oracle's failure to inform consumers that the Java SE update process did not remove all prior iterations of the software. As the Federation Trade Commission (FTC) put it last year in a complaint against the company, "Oracle left some consumers vulnerable to a serious, well known, and reasonably foreseeable security risk that attackers would target these computers through exploit kits, resulting in the theft of personal information ...." The FTC and Oracle settled the complaint in April.

RASP could also play a role in the ongoing evolution of DevOps. Gartner analysts have predicted that, by 2020, 40 percent of enterprises engaged in DevOps will developed their apps by adopting application security self-testing, self-diagnosing, and self-protection technologies.