Risk-Based Security and Self-Protection – Tech Trends #10
Are you aiming to make your environment 100% secure?
Well — there’s a danger you’re chasing an impossible goal.
In today’s digital business world, the goalposts switch with every trend, development and hacker innovation – the chances of making your security totally and reliably watertight are constantly in flux.
So if you can’t be absolutely sure that no one can break through your defences, what can you do?
It’s time to stop focussing exclusively on battling back intruders and disasters and start thinking about what you’ll do if something does break through. In other words: it’s time to start rolling out sophisticated tools to handle risk assessment and mitigation.
And how does that work in the real world?
It means adopting a multi-faceted approach.
As Gartner predicted in a report released in 2014:
“Security-aware application design, dynamic and static application security testing, and runtime application self-protection combined with active context-aware and adaptive access controls are all needed in today’s dangerous digital world.
This will lead to new models of building security directly into applications. Perimeters and firewalls are no longer enough; every app needs to be self-aware and self-protecting.”
Let’s break it down.
We live in exciting, innovative times. The rise of X Applications means that home geniuses the world over can experiment with software and application development, adding to a living and ever-evolving catalogue of creation and development.
Trouble is, these aren’t always as secure as they could be. But simple modifications and add-ons can help.
For example, as the NSA explains, when it comes to crowd-sourced, Linux-based innovations, the vast majorityâ of X Applications tend to be unmodified, traditional, security-obliviousâ â and even security-aware X Servers have their limitations.
But incorporating Windows Managers can offer the inputs needed to make security decisions that X Servers lack.
These Windows Managers create visual labels to alert the user as to which window has keyboard focus â and can even label these according to their security context. Modifying these can provide suitable coverageâ for Linux users, helping a low-security system to become security-aware.
Dynamic and Static Application Security Testing
Combining these two types of security testing can give essential insights that can’t be offered by relying on just one.
That’s because Static application security testing (SAST) approaches the problem by testing the application from the inside out, whereas Dynamic application security testing (DAST) tests from the outside in, helping you to assess the issues from all directions.
So what does that mean in practice?
SAST delves in an application’s byte code, source code and application binaries to search for vulnerabilities. DAST looks at the application in its running state. It comes at it from different angles â often unexpected and unplanned â to find any points where it might slip up.
Runtime Application Self-Protection (RASP)
RASP works by monitoring itself for malicious behaviour, reconfiguring itself automatically in certain situations without a person having to get involved.
It’s built into the application itself to shield you against real-time attacks, helping the application to defend itself well beyond network or endpoint perimeters. When the security conditions are met, RASP takes over the application and rolls out the necessary protection measures. These might include ending the user’s session, alerting security personnel or causing the application to shut down.
What’s more, by embedding RASP features into the server that the application runs on, these security measures don’t interfere with the application design itself.