Blog archive

Java Security: It's a Multilayer Problem

Things have quieted down quite a bit on the Java security front during the last year or so. Rare these days are the heart-stopping revelations of zero-day vulnerabilities; and fewer are the grumbling editorials about the lack of end-user update hygiene. (Although, as far as I'm concerned, that issue is still quite grumble-worthy.) Oracle's click-to-play feature was at least partly responsible for a 2014 in which there were no major zero-day Java vulnerabilities discovered and exploited in the wild.

Which is great, but not the end of the Java security story. As long as Java's enormous popularity in the enterprise continues, it's going to be an alluring target, Java security expert John Matthew Holt reminded me recently.

Holt is the CTO of Waratek, a company specializing in Java security, so you could argue that he has vested interest in Java insecurity. But he's right to point out that the Java stack has more than one layer. Even if you manage to keep up with Oracle's patch schedule for the Java platform layer, you still have to deal with the app server layer, the libraries and the business logic. And update schedules vary. For example: Oracle releases Java security fixes on the Tuesday closest to the 17th day of January, April, July and October; Apache releases Struts patches every 72 days.

"I give great credit to Oracle for addressing the vulnerabilities in the Java Platform layer," Holt said. "That's kind of a never-ending battle. Even if an organization manages to keep up with the Java security fixes, the vulnerabilities shift to somewhere else in the software stack."

For example: By my count, there have been 10 Struts vulnerabilities reported over the past two years with a CVSS rating of 9 or 10, which is very high and marks them as critical.

Holt is an enthusiastic proponent of Runtime Application Self Protection, or RASP, which Gartner has defined as "a security technology built in or linked to an application or app runtime environment, and capable of controlling app execution and detecting and preventing real-time attacks." Holt's company makes a containerized RASP product, called Locker, which provides security monitoring, policy enforcement, and attack blocking from within the Java Virtual Machine (JVM).

"RASP is something very different," he said "We've never had a tool that lives inside the runtime and has the benefit of real, accurate, actionable intelligence about what the application is doing."

Holt's Dublin-based company also recently unveiled its new security technology I wanted to mention called the Taint Detection Engine, which is designed to detect and block SQL Injection attacks without generating false positives or relying on heuristics. The Taint Engine (Pipe down you snickering fifth graders!) is part of the company's AppSecurity for Java product.

As I'm sure you know, a SQL Injection involves inserting malicious SQL statements into an entry field for execution. A successful attack can, among other things, read and modify sensitive data and execute administration operations on the database. Depending on which analyst to pester until he/she emails you back just to shut you up, SQL Injection is responsible for as much as 80+ percent of the records stolen in hacking incidents. It's often at the top of most wanted list at OWASP and the SANS Institute. (OWASP has published a "Cheat Sheet" on SQL Injection that's worth reading.)

"It's insidious," Holt said. "Developers can download these kinds of libraries easily, and incorporate them into their applications. Their managers are happy because they delivered the product on time, but they've got all this code that the organization didn't write, didn't put up to a static analysis tool, didn't get results from, and hasn't been reviewed."

The AppSecurity for Java product performs transparent taint detection and validation of each character in a SQL query in real-time within the JVM. It's a cool product and worth investigating. Waratek went to SaaS and software security consultancy BCC Risk Advisory to have the above claims independently verified. Here's a link.

Posted by John K. Waters on April 8, 2015