Active Protection

Application Security Platform

A cohesive solution for Application Security Teams

Patented Runtime Protection with Superior Results

Waratek takes your application security program beyond a WAF without using heuristics. Based on patented virtualization technology, Waratek’s application security platform produces zero false positives, requires no code changes, tuning or instrumentation, and takes minutes to install – providing instant protection from the OWASP Top Ten as well as Zero Day attacks. These benefits apply to new and legacy platforms and cannot be provided by your current WAF or emerging technologies like RASP based on instrumentation or filters.

Learn more about a few of the unique approaches to security and application operations available exclusively from Waratek.

of web applications include open source code

(SOURCE: Black Duck)

of all applications have at least one vulnerability in them: more than 13% have at least one critical severity flaw

(SOURCE: Veracode)

Known and Zero Day Attack (CWE) Protection

Protection against CWEs using rules that detect and block OWASP Top Ten, SANs 25, and Zero Day attacks.

  • Command Injection
  • Cross Site Request Forgery (CSRF)
  • Cross Site Scripting (XSS)
  • Path Traversal
  • Local File Include
  • SQL Injection
  • Untrusted Deserialization
  • Missing Encryption of Sensitive Data
  • Cleartext Transmission of Sensitive Information
  • Unrestricted Upload of File with Dangerous Type
  • Direct Use of Unsafe JNI
  • Open Redirect
  • Improper Input Validation
  • Dynamic Code Evaluation: Code Injection
  • Use of a Broken or Risky Cryptographic Algorithm
  • Unsafe Reflection
  • Session Fixation
  • External Control of Filename or Path
  • Legacy Java Protection
  • Clickjacking
  • HTTP Input Validation

 

DESERIALIZATION OF UNTRUSTED DATA

Deserialization of Untrusted Data

Some of the most widespread security vulnerabilities to occur over the last couple years are related to when applications deserialize data from untrusted sources.

Waratek’s unique, patented virtualization approach to application security remediates Java object deserialization attacks using a secure runtime container and by turning on a single security rule. The full application stack is automatically protected against Java deserialization attacks, both known or unknown (Zero-Day), without:

  • Source code changes
  • Configuration
  • Application profiling
  • Black or white listing
  • False positives or negatives
  • Breaking existing functionality

The same deserialization vulnerability found in a version of Apache Commons Collections library used in 21% of Java applications was present in developer-authored code used in 25% of Java applications

 

(Source: Veracode)

SUGGESTED READING:

Heuristics-free approach to Deserialization protection

DOWNLOAD DISCUSSION PAPER

SUGGESTED VIEWING:

Learn how we protect against Deserialization without black or white lists

VIEW WEBINAR

SUGGESTED VIEWING:

OWASP London Charter

Known Vulnerability (CVE) Protection

Waratek offers protection against CVEs based on routine and emergency patches released by vendors.

Custom CVE patches are also available upon request. Here are just a few CVE patches that are available…..

CVE-2012-2098, CVE-2010-1632, CVE-2012-5785, CVE-2010-1632, CVE-2007-6721, CVE-2016-1000341, CVE-2016-1000343, CVE-2016-1000345, CVE-2016-1000342, CVE-2016-1000339, CVE-2016-1000338, CVE-2016-1000352, CVE-2016-1000344, CVE-2015-7940, CVE-2016-1000346, CVE-2016-1000341, CVE-2016-2510, CVE-2014-0114, CVE-2014-0114, CVE-2014-0114, CVE-2015-7501, CVE-2012-2098, CVE-2013-2186, CVE-2014-0050, CVE-2016-1000031, CVE-2016-3092, CVE-2013-0248, CVE-2013-0248, CVE-2016-3092, CVE-2014-0050, CVE-2016-1000031, CVE-2013-2186, CVE-2014-0050, CVE-2013-0248, CVE-2016-3092, CVE-2012-6153, CVE-2009-4269, CVE-2015-1832, CVE-2014-7810, CVE-2014-3558, CVE-2014-3558, CVE-2014-3558, CVE-2007-4575, CVE-2014-3577, CVE-2015-5262, CVE-2011-1498, CVE-2012-6153, CVE-2015-5262, CVE-2015-5262, CVE-2014-3577, CVE-2015-1833, CVE-2016-6801, CVE-2016-2175, CVE-2009-4611, CVE-2016-5725, CVE-2015-0254, CVE-2017-5929, CVE-2016-3092, CVE-2013-0248, CVE-2014-0050, CVE-2013-2186, CVE-2016-1000031, CVE-2015-2944, CVE-2009-4611, CVE-2014-0114, CVE-2013-2186, CVE-2016-3092, CVE-2016-1000031, CVE-2013-0248, CVE-2014-0050, CVE-2011-4969, CVE-2013-4002, CVE-2009-2625, CVE-2016-6801,CVE-2015-1833, CVE-2012-2098, CVE-2014-0114, CVE-2015-1833, CVE-2013-4002, CVE-2016-6801, CVE-2009-2625, CVE-2016-2175, CVE-2016-3092, CVE-2014-0050, CVE-2012-2138, CVE-2012-2098, CVE-2013-4002, CVE-2009-4269, CVE-2013-0248, CVE-2009-2625, CVE-2013-2186, CVE-2012-0213, CVE-2009-4611, CVE-2017-5644, CVE-2015-1833, CVE-2015-1832, CVE-2014-7810, CVE-2014-9527, CVE-2011-4969, CVE-2015-2944, CVE-2016-6801, CVE-2014-0114, CVE-2016-1000031, CVE-2014-3529, CVE-2014-3574, CVE-2014-7810, CVE-2012-2138, CVE-2017-5644, CVE-2014-3574, CVE-2014-3529, CVE-2012-0213, CVE-2014-9527, CVE-2014-3490, CVE-2014-7839, CVE-2016-6346, CVE-2016-6345, CVE-2009-1190, CVE-2009-1190, CVE-2010-1622, CVE-2010-1622, CVE-2011-2894, CVE-2011-2894, CVE-2014-3578, CVE-2013-4152, CVE-2014-0054, CVE-2014-0225, CVE-2015-3192, CVE-2011-2894, CVE-2010-3700, CVE-2012-5055, CVE-2012-5055, CVE-2010-3700, CVE-2011-2894, CVE-2011-2894, CVE-2012-5055, CVE-2012-5055, CVE-2015-3192, CVE-2013-6430, CVE-2013-6430, CVE-2011-2730, CVE-2013-6430, CVE-2014-0054, CVE-2013-6429, CVE-2016-9878, CVE-2013-6430, CVE-2014-0225, CVE-2013-6430, CVE-2016-9878, CVE-2016-9878, CVE-2015-5211, CVE-2016-9878, CVE-2014-1904, CVE-2014-3625, CVE-2015-0254, CVE-2006-1548, CVE-2014-9527, CVE-2012-2098, CVE-2012-0213, CVE-2014-3574, CVE-2016-2175, CVE-2017-5644, CVE-2014-3529, CVE-2007-6726, CVE-2015-0227, CVE-2014-3623, CVE-2011-2487, CVE-2009-2625, CVE-2014-0107, CVE-2009-2625, CVE-2013-4002, CVE-2009-2625, CVE-2013-4002, CVE-2009-2625, CVE-2013-4517, CVE-2013-2172, CVE-2009-0217, CVE-2013-7285, CVE-2016-3674 and more….

For a full list of the CVEs remediated by Waratek, ask your Waratek representative or contact us by email.

 

APACHE STRUTS 2

Vulnerability CVE-2017-5638

Waratek offers a Virtual Patch for customers to address the new high severity vulnerability – CVE-2017-5638 – that exposes organizations using the Struts 2 framework to any general code injection attack. The Waratek solution fully remediates this vulnerability with a virtual patch that can be live-updated without taking affected applications out of production.

Struts 2 users need to take immediate action. Applying the binary patch offered by Apache requires some application downtime,” noted John Matthew Holt, Waratek’s Founder and CTO. “For users who have made custom changes on Struts source code, it could take days or weeks to upgrade.  A virtual patch can be applied immediately while the application continues to run – with no code changes and without restarting the application.”

Even prior to the announcement of the vulnerability, Waratek’s core functionality protected against Proof-Of-Concept (POC) exploits of CVE-2017-5638 that perform remote-command execution.  The new virtual patch is a specific one-line security rule that fully remediates this vulnerability and was developed in less than one-day after the vulnerability was announced.

First introduced in Struts 2.3.5 released in October 2012, the vulnerability identified in CVE-2017-5638 has been available for Zero Day exploits for more than four years.

Technical Analysis and Commentary

apache struts
DOWNLOAD PAPER

See how easy it is to patch this vulnerability

Compiler Based Runtime Application Self Protection (RASP)

Providing unique patented runtime protection

Applications today are generally protected by ineffective Web Application Firewalls (WAFs) and other tools that rely heavily on instrumentation or filters to guess if a request is a malicious attack or a permissible action.  Such heuristic-based approaches often produce false positives at an unacceptably high rate. In a recent Cisco report, nearly 45% of organizations receive at least 1.8 million security alerts each year, 1.3 million of which are false alarms or never investigated.

NO FALSE POSITIVES SECURITY

Waratek’s patented virtualization-based security technology allows us to determine if an operation is an attack or a permissible request with 100% accuracy.  During the two years our patented technology has been in global production, it has never produced a false positive.

If that wasn’t enough, Waratek also offer a “No Break” Guarantee – Waratek’s virtual patches will not break your applications.

LEARN MORE

SUGGESTED VIEWING:

Learn how we achieve No False Positives Security

VIEW WEBINAR

 

NAME SPACE LAYOUT RANDOMIZATION (NSLR)

Name Space Layout Randomization

Name Space Layout Randomization or NSLR is the equivalent of Address Space Layout Randomization (ASLR) for Java-based applications. Developed by Waratek, NSLR hardens the Java Virtual Machine (JVM) by randomizing the JDK namespace (Java packages), which makes code injection exploits so difficult to execute that they become unfeasible.

Attempts to brute force a system and retrieve the randomized package name will not work. Waratek’s standard configuration includes NSLR with a minimum level of security at 96-bit names, which would likely require several thousand years to crack the encryption. Names can be randomized up to 1024 bits.

SUGGESTED READING:

NAME SPACE LAYOUT RANDOMIZATION OVERVIEW

DOWNLOAD DATA SHEET

Check our Frequently Asked Questions

READ MORE

 

CSO Review

CSO Review

Container security: How Waratek blocks Java exploits

Waratek relies on just-in-time compiling and focuses exclusively on one of the biggest security risks within most organizations: applications running Java.

Read Now

Waratek Application Security Platform

Technical Analysis

April 15, 2020 in News, Patching, Technical

Oracle April 2020 CPU represents a double-digit increase in software patches

The April 2020 Oracle Critical Patch Update (CPU) includes 397 patches across Oracle’s product suite, an 18 percent hike over the January 2020 CPU and a 33% year-over-year increase. The…
Read More
April 10, 2020 in Alerts, Blog, Patching, Technical

Oracle Critical Patch Update Preview: April 2020 CPU could top 400 patches, a double-digit year-over-year increase

The April Oracle 2020 Critical Patch Update (CPU) could see a 37% increase in software patches across the Oracle product suite based on a pre-release of the quarterly update due…
Read More
March 5, 2020 in Alerts, Blog, Technical

The End is Near: After decades, TLS 1.0 & 1.1 go end-of-life in March

Waratek makes compliance easy The world of computing was very different in 1999. U.S. online retail sales totaled $15B according to the Department of Commerce, but online worldwide sales figures…
Read More
January 2, 2020 in Blog, Enterprise Applications, News, Technical

Common Threats for Enterprises and SMB’s

2019 saw no shortage of major cybersecurity events. More than 8 billion consumer records were accessed in breaches against companies of all sizes. Victims ranged from world-renowned companies such as…
Read More
June 17, 2019 in Alerts, Legacy, Patching, Technical, Zero Day

[Updated] New WebLogic Zero-Day RCE Vulnerability

Oracle have issued a patch for this new vulnerability CVE-2019-2729 Please note that this Oracle fix has the same limitations as their previous fix. Oracle’s patch is available only for…
Read More
April 17, 2019 in Alerts, Technical

Q2 2019 Oracle CPU: Uptick in Severity for Oracle Vulnerabilities

Overall trends point to continued risks from remote control execution vulnerabilities The number of patches in the quarterly Oracle Critical Patch Updates (CPU) for April 2019 is 297, still fewer…
Read More
November 15, 2018 in Blog, Technical

The Java Deserialization Problem

The Java deserialization problem occurs when applications deserialize data from untrusted sources and is one of the most widespread security vulnerabilities to occur over the last couple years. This article provides…
Read More
November 5, 2018 in Blog, Technical

Why Are Deserialization Vulnerabilities So Popular?

Wondering why deserialization vulnerabilities are so popular? Learn more about deserialization, why it happens, and CPU fixes. In 2017, around 60 remote code execution (RCE) deserialization vulnerabilities were reported, not…
Read More

Try A Demo
& Get Protected.

Get a free POC when you schedule now.