How a Major Bank Hacked its Java Security

By September 30, 2014 October 19th, 2017 News

Deutsche Bank London helped create a new application self-defense tool to lock down and virtually patch its Java-based enterprise applications — even the oldest ones.

Deutsche Bank AG London has what many large enterprises have: numerous internal applications based on various versions of Java, many of which are older and can’t be patched nor updated. So the bank helped develop a tool that sits below the application to detect and prevent attacks and apply virtual patches.

The bank, a subsidiary of Deutsche Bank AG, made the move after it inventoried its hundreds of internal applications and discovered a mix of old and new versions of Java, some of which were legacy applications that had become increasingly difficult to patch or update. Oracle’s Java infamously has been riddled with security vulnerabilities, and Java client machines have become a favorite target of attackers.

“We [had] uncovered a large degree of variance of Java deployed in the bank’s infrastructure,” Hussein Badakhchani, vice president of Deutsche Bank London, says in an exclusive interview with Dark Reading today. His application group teamed up with IT security to determine how to secure the large number of legacy Java applications running at the bank.

The initial goal was to convert its applications — everything from payments to training apps — to a new platform-as-a-service the bank had built based on Java Virtual Machine (JVM). “We wanted to move away from DIY to a managed service” for enterprise applications. “The question becomes ‘If you can’t decommission an application and you can’t operate it [or update its Java version], what can you do with it?'”

The bank worked with security vendor Waratek to create a tool that runs within JVM and efficiently secures legacy Java applications. Call it application self-defense: The result was a software solution that uses what Gartner analyst Joseph Feiman calls a “self-protecting” application approach, or Runtime Application Self Protection (RASP). According to Feiman, RASP detects and blocks attacks, and it operates in the application’s runtime environment.

“Modern security fails to test and protect all apps. Therefore, apps must be capable of security self-testing, self-diagnostics and self-protection,” he writes in a new Gartner Maverick Research report on RASP. Gartner predicts that 25% of web and cloud applications will become self-protecting by 2020; fewer than 1% operate that way today.


This article first appeared in Dark Reading written by Kelly Jackson Higgins.

Read the full article here

News

Author News

More posts by News

Leave a Reply

X