In a report distributed under the label Maverick Research, Gartner’s Joseph Feiman says it is time to change the way IT does security.
“Modern security fails to test and protect all apps. Therefore, apps must be capable of security self-testing, self-diagnostics and self-protection. It should be a CISO top priority.”
His reasoning seems to make sense:
“Infrastructure and perimeter protection technologies inherently lack insight into application logic and configuration, event and data flow, executed instructions and data processing. Thus, they lack the necessary means to ensure accurate detection of application vulnerabilities and protection against application-level attacks.”
There are too many apps to test, testing fails to scale to the enterprise demand level and the tools for testing are too complex and inaccurate, writes Feiman.
Otherwise everything looks fine.
Well, maybe not. he writes that the ratio of perimeter security to application security is 23:1.
“Considering the ineffectiveness of perimeter protection in stopping attacks, this ratio cries for a fundamental change.”
Feiman believes self-protection of applications is quite achievable.
“We believe that by 2020, 25% of Web and cloud applications will become self-protecting, up from less than 1% today.”
The feasibility of application self-protection comes down to the limited number of run-time engines in widespread use, he added, such as Java JVM and .NET Common Language Runtime (CLR).
“…two capabilities that should be built into any application’s runtime — self-protection and self-testing/self-diagnostics. “
Famous for its Magic Quadrant and Hype Cycle analytics, Gartner has to put this Maverick Research somewhere, and Feiman places it in “Emerging,” with the expectation that it would take Runtime Application Self-Protection (RASP) 10 years to reach the Plateau of Productivity. (Yes, they really write like that, but it kind of grows on you.) The speed of adoption could be accelerated by cloud providers like Amazon and Microsoft because they control the runtime environment.
Waratek, a provider of software that supports virtual JVM installations, said it embeds security in the Java execution platform. (Waratek was a member of the London FinTech Innovation Lab sponsored by Accenture and I have written about them here a few times.) It has published its own whitepaper explaining how it does what Gartner advocates in security.
Embedding “… security in the Java execution platform (JVM), avoids the implementation problems of current offerings, while greatly improving attack mitigation,” the whitepaper says. I wrote about a major European money center bank which could not be named, that found Waratek had solved some key security issues the technology company hadn’t been aware it could fix.
“Waratek have added a security rules engine that allows enterprises, PaaS and SaaS cloud providers to protect business-critical applications without application changes.”