Protecting legacy and third party applications and securing new technologies with application security requires a different approach compared to securing in-house developed code. Here’s how you can do it:
Protect the “Untouchables”
Like many things, the unfair part of securing applications is being responsible for those that you don’t have control over. While custom code and open source libraries can be secured using static code analysis, dynamic code analysis and software component analysis, there is very little you can do about risks related to COTS (Commercial off the shelf) and legacy applications (aka “the Untouchables”).
COTS applications provide little to no customization for security and they make up a considerable part of the attack surface. So it is a monstrous task to find and fix vulnerabilities on these applications.
Legacy applications may be no longer fixable or fixing vulnerabilities of these applications may not be feasible for organizations. COTS and legacy applications are great examples of applications where RASP can help.
Gartner defines RASP as: “Runtime application self-protection (RASP) is a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks.”
Using virtual patching for application layer and RASP are very practical ways to reduce the risk for legacy applications and applications which cannot be modified in the short term. This works by importing detected vulnerabilities into defensive technologies and providing immunity against these vulnerabilities.
Supported integrations include: Micro Focus Fortify Application Defender (both static and dynamic integration, on-premises and cloud), Fortinet FortiWeb WAF (dynamic integration only) and Citrix Netscaler WAF (dynamic integration only).
Secure the New Hype: Open Source, Cloud and Containerization
Challenges with emerging and newly adopted technologies lie in the lack of knowledge and the tools to secure these systems. Organizational security policies and best practices cease to exist at early times and even when security expectations are set, it is another challenge to find the technology/tools to provide the desired level of protection.
Open source components are used in almost all software project and open source components are an enabler for developing quality software faster. But these benefits come with security risks that may affect these components, and therefore your applications.
Securing open source components within custom code applications require software component analysis since compiled components cannot be scanned using static code analysis.
Fortify has built-in integrations with software component analyzers (like Black Duck and Sonatype) to find, fix, and fortify security vulnerabilities in non-custom portions of the code.
Micro Focus Fortify Application Defender can be added to your CI/CD tool chain to provide RASP to any application no matter where it lives. Whether you are building and running your application on-premise, inside a container or in the cloud, Fortify provides you the static, dynamic, and runtime security detection and protections capabilities to provide application security visibility.
This post is part of Fortify Integrations series, starting with the main post, Integrations: Empowering Dev, Test & Ops with Security