Waratek has released an early adopter version of Waratek Application Security for Java. The product is intended to protect older Java applications from vulnerabilities in legacy versions of the Java platform.
Waratek is previously known for Java products to improve server utilisation and drive up application density, including CloudVM and Elasticat for Tomcat.
InfoQ caught up with Prateep Bandharangshi, director of client security solutions at Waratek to find out more about their new product.
InfoQ: Security seems to be a bit of a change in direction for you, so what's motivating the new product line?
Prateep: We're doing some work with a major investment bank in London and we had to go through a security review for the virtualisation product. When we explained our existing product we realised that we can use our technology to apply security constraints and protect applications. The bank were more interested in that, so the pilot became a security project instead of consolidation.
InfoQ: Can you give some examples of the sorts of risks you can mitigate?
Prateep: The bank in question has 75% of app deployments on Java SE 5 and SE 6. Simply upgrading the JVM as a mitigation strategy doesn't happen in practice, as there are too many problems like serialized data, inadequate documentation and remediation knowledge if the migration doesn't go perfectly. Then, there's the "Apache Struts" problem, basically composition of components. Only 20% of the Java in enterprises is developed in-house. The rest of the stack is open-source or framework code, such as Apache, JBoss, Spring, etc. It doesn't matter how good your developers and code development practices are, you're still importing 80% of code you don't control. Mitigation time for these problems can be several months. This is way too slow and too much risk.
InfoQ: Can you be more specific about the vulnerabilities you can protect against?
Prateep: Waratek's Application Security provides fine-grained mandatory access control (MAC). This is a concept that comes from operating systems and security software. You lock down and deny everything that doesn't fit the rules profile. For example, many exploits work by saving the exploit code to the filesystem, and then executing it. If the JVM is prevented from calling fork() or exec(), then the attacker may be able to save the payload, but if it can't be executed, the threat is still mitigated.
InfoQ: Your press release also mentions "virtual patching". What is this, and how does it work?
Prateep: Just preventing fork() helps a little bit. But Waratek's Application Security can also prevent execution of individual methods, even via reflection. Quite often it's only a single, rarely-used method that's used in the exploit and by denying it, we can mitigate the exploit. We call this technique "virtual patching".
InfoQ: What other features do you support?
Prateep: SQL Injection is the number one request we've had from customers. Next we bring the concept of "tainting" to the JVM. This is the feature found in some languages (such as Perl and Ruby) to track data that has come from the user and is potentially hostile. We do this in such a way that users would not need to change application code. Instead, we use additional metadata inside the JVM & JIT compiler.
InfoQ: What's next on the roadmap?
Prateep: Working with our pilot customers we will be focussing on addressing the issues listed in the OWASP to 10 and SANS top 25.
InfoQ: Which platforms are supported? Are any others on the roadmap?
Prateep: Currently we support x86 RedHat & SUSE Linux. On the Windows front we've had some high-level discussions with customers. We're always focused on customer demand and always happy to consider a platform if customers want it.
InfoQ: Is Waratek Application Security for Java in General Availability (GA) now?
Prateep: Yes we are working with our early adopters to understand the space completely, and add in features that security teams and operations really want such as tainting, SQL injection protection and XSS mitigation.
InfoQ: Which versions of Java are supported? Does it use a standard Sun / Oracle Java implementation?
Prateep: Waratek is based on Oracle Hotspot and our JVM is certified to be compatible with the Java Platform. For security applications we're concentrating on Java SE 5 & 6 as that's where the most value is for our customers right now.
InfoQ: Where can developers go to find out more?
Prateep: http://www.waratek.com and we're more than happy to take questions on info@waratek.com or here in the comments section.