Solution

Insecure Deserialization

Waratek’s Security-as-Code platform wholly and automatically protects the entire application stack against Java deserialization attacks

Book a demo

Get whitepaper

Your challenge

Serialization is widespread across APIs, microservices, and client-side MVC. Deserialization is the reverse process that converts the serialized stream of bytes back to an object in the machine's memory.

The main driver for this vulnerability is a dangerous class in the Apache Commons Collection library: `InvokerTransformer`. However, disabling this class is not the proper way to solve the deserialization of untrusted data and might break the application.

Other recommended approaches might reduce the impact of a deserialization attack but do not protect against blind attacks for data exfiltration or Denial of Service deserialization attacks.

The solution

Using Waratek’s Security-as-Code platform and turning on the declarative “Deserial” rule wholly and automatically protects the entire application stack against Java deserialization attacks, known or unknown (zero-day).

Waratek achieves this level of protection by creating a dynamic, restricted compartment inside its platform. This restricted compartment is active for the duration of each deserialization operation and afterward, such as during garbage collection. The restricted compartment allows any legitimate functionality to run normally but prohibits any gadget chain from abusing and compromising the system. The feature allows the InvokerTransformer to be used generally by systems that depend on this functionality without compromising the system by any malicious gadget chains.

Waratek products used

Secure

Outcomes

No code changes: Wholly and automatically protects the entire application stack against deserialization attacks
No configuration or tuning: Gain immutable protection against deserialization attacks without extensive and hard to manage lists
Zero false postives: Avoid time spent toiling away to uncover which alerts are truly genuine, reducing the resources required for maintenance

As a Public company, protecting our enterprise applications is a high priority and Waratek has played a significant role in achieving that goal.

CISO

Global Commercial Real Estate Services Company

Push-button immutable security

Waratek achieves 100% accuracy with zero false positives against insecure deserialization vulnerabilities at the push of a button by creating a dynamic restricted compartment. This compartment is active for the duration of each deserialization operation and afterward during garbage collection. The restricted compartment allows any legitimate functionality to run normally but prohibits any gadget chain from abusing and compromising the system.

Customer success story

Global commercial real estate company

Zero-day protection: 24/7
Coverage of OWASP Top 10 and SANS 25: 100%
Reduction in false positives: 100%

Why Waratek

Companies use Waratek Secure to ensure a hardened level of security posture across all of their apps and maintain agility in the software development lifecycle

Read case study

: Eliminate toil spent on false positives and negatives
: Mitigate risk of vulnerability regressions after deployment
: Modernize legacy apps to secure EOL language versions
: Automate the remediation of code vulnerabilities

Featured resource

CI/CD Security vs. Security-as-Code: which lowers risk more?

Vulnerability injections in the CI/CD pipeline recently led to open source projects making headlines. Here’s a better way to secure.

Learn more

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.