Stretch Right With Threat Stack Application Security Monitoring

In our last post, we explored how Threat Stack’s Application Security Monitoring embeds security in development processes — without negatively impacting agility or speed of application development and deployment. Empowering developers to proactively address software risk is central to organizations that “stretch left” to build security into their entire software development and deployment lifecycle. But even with the best security awareness, testing, and early problem identification and mitigation, some risk may always sneak by and make it into a running application. 

One recent report found that 100 percent of web applications tested displayed at least one application vulnerability. They may not all be the most critical vulnerabilities, and they may never be successfully exploited by attackers, but they’re always out there lurking. Armed with this knowledge, attackers are constantly probing web applications, searching for weaknesses that will give them the access they need to carry out an attack. In addition to the development-time risk identification and remediation guidance that Threat Stack AppSec Monitoring provides, it can also detect and block these real-time attacks at runtime. 

Threat Stack AppSec Monitoring offers runtime protection with four elements: Detect, Block, Notify, and Guide. In combination, these four elements give users the ability to discover attacks, prevent them from being carried out (preventing data breaches and other problems), and feed the DevSecOps workflow with the context that developers need in order to build in security that can help prevent future attacks.

Detect

More than 60 percent of the top web attacks are centered on basic XSS and SQL Injection attacks. While these are relatively simple and well understood, they continue to be favorites of attackers. Threat Stack AppSec Monitoring can detect these attacks by examining the payload that comes into the application from the web. The payload is simply the data part of an application request — it could be the field names and values in a web page form submission, or name/value pairs in an API call. We analyze the payload from within the running application to check whether it contains code that we can identify as being potentially malicious. This check is based on our own analyzer comparing the payload to well known attack signatures — currently more than 2,000 of them! Think of it as a security checkpoint inside an airport where guards examine the contents of travellers’ luggage to search for potentially dangerous items like guns or explosives. We look inside the payload for potentially dangerous items like SQL or noSQL injection strings or XSS code. Unlike airport security, however, our check is extremely fast!

Block

Users can run Threat Stack AppSec Monitoring in one of two modes: Detect only or Self-protect. Self-protect mode is the best option for real-time defense. In this mode, any request with a malicious payload is stopped immediately — just like the airport security agent finding a weapon and denying entry to the airport. The application  halts further execution of that individual request, and the attack is terminated. In Detect only mode, any malicious payloads identified are flagged and communicated to the users (see the next element, Notify), but the request is allowed to execute. This may be helpful when you’re running automated tests during development when it’s helpful to know that a simulated attack was successfully detected, but you still want to let the test continue.

Notify

Once an attack is detected and blocked, you need to be made aware of it so you can take steps to either mitigate damage or reduce the risk of future attacks. Threat Stack AppSec Monitoring delivers information about attacks in the web portal in a clear timeline format. But we know that not every member of every team will be logging into the Threat Stack portal, so we bring the essential information about the attack to you with ChatOps integration, allowing Slack, Google, or other chat tools to deliver information to the team. Attack notifications include the actual malicious payload contents, the attacker’s IP address, the URL and request method that was targeted, along with other essential information.