Imperva Advances Autonomous Application Protection Capabilities

EXCLUSIVE: Imperva is building out Runtime Application Self Protection (RASP) technology that it gained via the 2018 acquisition of Prevoty, to help organizations detect network activity threats and weak cryptography at application runtime.

Download the authoritative guide: How to Develop an IT Security Strategy

Imperva Prevoty

Imperva is adding new capabilities to its Runtime Application Self Protection (RASP) technology platform that enables organizations to better protect their workloads.

The ability to automatically protect code at runtime from threats is the domain of RASP technology. Imperva entered the RASP business via the acquisition of RASP vendor Prevoty in July 2018 and is now expanding the offering with new capabilities and integration into the company's broader portfolio. The new release is Autonomous Application Protection version 3.10 and integrates features to detect weak cryptography, as well as potential network activity threats.

"We're pretty excited about this release just because it fundamentally alters and changes the way that RASP is considered and will be considered by many organizations," Kunal Anand, CTO of Imperva, told eWEEK. "I think it speaks to the grander vision that we have at Imperva."

Anand was the co-founder and CTO of Prevoty prior to acquisition and has now transitioned to become the CTO of Imperva, with responsibilities across the company's portfolio.

Network Activity Protection

RASP technologies in general look to protect code from executing potentially malicious processes. With version 2.10 of Autonomous Application Protection, Imperva is now looking beyond just what an application executes as a process to what an application attempts to connect to at the network level. Anand said Autonomous Application Protection is now looking at HTTP calls that could potentially go anywhere with the new network activity protection feature.

"So if you have an application that's communicating with another application, to a microservice, or to a REST API, you now have complete visibility in terms of the line of code where we're seeing the execution from, what it's talking to you, what it's sending and what it's getting back," he explained.

The ability to have network visibility for runtime code is important to defend against emerging forms of attack. By having network activity protection at the code runtime, it's also possible for an organization to specifically allow applications to only be able to communicate with certain services. Anand said that Prevoty had been working on the network activity protection feature prior to being acquired by Imperva. As part of Imperva, he said that additional development work is underway to link with the company's broader security intelligence capabilities to further enhance that network activity protection feature in the future.

Weak Cryptography Protection

In 2018, Prevoty added a feature that performs dependency analysis with an application. Anand said that his team looked at how customers were using the feature and discovered that it was being used to help identify cryptographic libraries. Over time, different cryptographic libraries are identified as being weaker than others and there is a need for organizations to regularly evaluate what they are using.

"So what we did was we allowed customers to be able to constrain different kinds of cryptographic algorithms that can and can't be used," he said. 

How It Works

As opposed to other types of cyber-security technologies, RASP and Autonomous Application Protection can be injected directly into the runtime to protect an application.

Anand said that Autonomous Application Protection can plug directly into an application server. From a DevOps perspective, the Autonomous Application Protection can be instrumented from a Continuous Integration/Continuous Deployment (CI/CD) system like Jenkins and get directly integrated into the gold master that an organization deploys.

At a deeper technical level, Anand explained that the process that Imperva uses is known as byte code instrumentation (BCI).

"The way it works is the agents at application startup will hook the class loader of the application and it'll actually do injection and byte code instrumentation into the key areas that we care about," he said.

After the BCI process, Anand said that an approach that Prevoty developed called LANGSEC (Language Theoretic Security) comes into play.

"The idea of LANGSEC is to effectively use formal grammar theory to parse payloads before they execute," Anand said.

So, for example, Anand explained that before a database query executes, the LANGSEC analysis will occur, enabling analysis and identification of potential risk. He said that the LANSEC approach goes beyond what a pattern-based recognition system can look for, to identify more complex issues.

"LANGSEC just kind of kicks it up another level in terms of detection capabilities," Anand said. "So we actually marry the two techniques, which is language analysis plus application context."

RASP and WAF

Imperva has a number of products and services, among them is the company's Web Application Firewall (WAF) technology. A WAF typically sits in front of applications protecting them against threats delivered over the network. RASP technology, on the other hand, is integrated inside of application code. Anand sees an opportunity for organizations to make use of both approaches to help mitigate risk.

"A vision that we have is a converged one where we converge application and data security together," he said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.