In our last post, we explored how Threat Stack’s Application Security Monitoring embeds security in development processes — without negatively impacting agility or speed of application development and deployment. Empowering developers to proactively address software risk is central to organizations that “stretch left” to build security into their entire software development and deployment lifecycle. But even with the best security awareness, testing, and early problem identification and mitigation, some risk may always sneak by and make it into a running application.
One recent report found that 100 percent of web applications tested displayed at least one application vulnerability. They may not all be the most critical vulnerabilities, and they may never be successfully exploited by attackers, but they’re always out there lurking. Armed with this knowledge, attackers are constantly probing web applications, searching for weaknesses that will give them the access they need to carry out an attack. In addition to the development-time risk identification and remediation guidance that Threat Stack AppSec Monitoring provides, it can also detect and block these real-time attacks at runtime.
Threat Stack AppSec Monitoring offers runtime protection with four elements: Detect, Block, Notify, and Guide. In combination, these four elements give users the ability to discover attacks, prevent them from being carried out (preventing data breaches and other problems), and feed the DevSecOps workflow with the context that developers need in order to build in security that can help prevent future attacks.
More than 60 percent of the top web attacks are centered on basic XSS and SQL Injection attacks. While these are relatively simple and well understood, they continue to be favorites of attackers. Threat Stack AppSec Monitoring can detect these attacks by examining the payload that comes into the application from the web. The payload is simply the data part of an application request — it could be the field names and values in a web page form submission, or name/value pairs in an API call. We analyze the payload from within the running application to check whether it contains code that we can identify as being potentially malicious. This check is based on our own analyzer comparing the payload to well known attack signatures — currently more than 2,000 of them! Think of it as a security checkpoint inside an airport where guards examine the contents of travellers’ luggage to search for potentially dangerous items like guns or explosives. We look inside the payload for potentially dangerous items like SQL or noSQL injection strings or XSS code. Unlike airport security, however, our check is extremely fast!
Users can run Threat Stack AppSec Monitoring in one of two modes: Detect only or Self-protect. Self-protect mode is the best option for real-time defense. In this mode, any request with a malicious payload is stopped immediately — just like the airport security agent finding a weapon and denying entry to the airport. The application halts further execution of that individual request, and the attack is terminated. In Detect only mode, any malicious payloads identified are flagged and communicated to the users (see the next element, Notify), but the request is allowed to execute. This may be helpful when you’re running automated tests during development when it’s helpful to know that a simulated attack was successfully detected, but you still want to let the test continue.
Once an attack is detected and blocked, you need to be made aware of it so you can take steps to either mitigate damage or reduce the risk of future attacks. Threat Stack AppSec Monitoring delivers information about attacks in the web portal in a clear timeline format. But we know that not every member of every team will be logging into the Threat Stack portal, so we bring the essential information about the attack to you with ChatOps integration, allowing Slack, Google, or other chat tools to deliver information to the team. Attack notifications include the actual malicious payload contents, the attacker’s IP address, the URL and request method that was targeted, along with other essential information.
Screen: Attack View in Portal
All experiences create opportunities for learning. An attack on a web application creates an opportunity for your development team to improve their security skills, which can help them improve their code in the future. Threat Stack AppSec Monitoring shares learning content and attack forensic information to help build this improved developer security IQ. Each attack includes e-Learning content that explains the attack to developers in their own language, with code samples and links to further external learning content. A full stack trace is also shown to help the developer see the route handler that was invoked and what call stack was executed prior to the attack being blocked. This could lead to improved input sanitization or other application improvements.
Screen: SQLi Guidance
Bringing It All Together
In today’s fast-moving, cloud-native DevOps environments, it’s not possible to secure your applications solely by “shifting left” where developers are expected to find and fix security issues on their own, nor by bolting security on as a last-minute step, or just with runtime application security firewalls. Security needs to be woven into the entire software development, delivery, and operation process in a way that allows cooperation and collaboration among developers, operations, and security professionals. Threat Stack Application Security Monitoring identifies risk at development time and protects from live attacks in production, and also places these application-layer alerts within the wider context of Threat Stack’s cloud-native infrastructure security monitoring.
To learn more about Threat Stack’s Application Security Monitoring, which is available as part of the Threat Stack Cloud Security Platform® at no extra cost, sign up for a demo. Our Security experts will be pleased to discuss your specific security and compliance requirements.