Serverless Security
Demo: A Guide to Virtual Machine App Security
Enhance your virtual machine (VM) application security from vulnerabilities in your Spring Framework (Java) application by reviewing these guidelines.
It may seem like containers are the go-to method for cloud building, however 95% applications run on traditional infrastructure deployments like dedicated servers, shared hosting, and virtual machines (VMs). While Gartner has predicted that by 2022 15% of organizations will be using containers, that still leaves 85% continuing to run many applications and services as server-based deployments. Servers don’t seem to be going anywhere anytime soon.
Enterprises have run legacy architectures for more than a decade while serving their growing customer base. During this time, they’ve addressed capacity constraint challenges with cloud platforms. The cloud has enabled organizations to replace physical boxes with flexible, scalable VMs on Amazon Elastic Compute Cloud (EC2), Google Compute Engine™ (GCE), and others.
There’s value in continuing these well-defined development and delivery practices while deploying applications on a virtual cloud platform. It can be easier to develop and operate legacy applications on traditional architecture than it is to build them with containers without upseting your workflow.
Let’s explore how to ensure your VM applications are secure by protecting a sample Spring Framework (Java) application with Trend Micro Cloud One™ – Application Security.
Application Security Challenges
Compliance requirements often drive application security. But unfortunately, sometimes compliance is an afterthought. This is because, predominately, security is associated with network configurations, open ports, firewalls, and patches. Technical teams do spend time in pre-production trying to find flaws in application testing before production deployments. However, what about when an application is in a runtime state? How can you easily protect your running application at runtime against common application threats and exploits? When these complex questions go unanswered, compliance requirements fall by the wayside, leaving developers responsible to fix the app as quickly as possible.
Practitioners who have faced these challenges created the Open Web Application Security Project (OWASP) Top Ten. According to OWASP, it represents “a broad consensus about the most critical security risks to web applications” and serves as a guideline for building secure applications. The vulnerabilities on the list often remain undetected, since they can be difficult pinpoint and find. These vulnerabilities remain an operations challenge until a developer patches the vulnerability and releases the patched version in production.
Trend Micro helps with Application Security, a runtime application self-protection (RASP) solution for application behavior analysis and protection. We’ll demonstrate how we can protect our applications against adverse events using RASP.
Deploy Application
We’re going to build and deploy the Vulnerable-Directory application, which is developed using Java’s Spring Boot framework and an H2 database. It offers a directory search operation.
We can deploy this application to any cloud VM we’d like. In this tutorial, we’ll assume you already have (or intend to set up) a VM where you’ll deploy the sample application.
We’ll start by downloading the app from GitHub.
git clone https://github.com/rahul0208/vulnerable-directory
cd vulnerable-directory
The application is packaged with Maven Wrapper, so we can build it using the following command:
./mvnw clean install
After the build is complete, let’s run the application from the target directory using the Java command:
java -jar target/directory-0.0.1-SNAPSHOT.jar
This command binds the application on port 8080, so we can access the application using our browser, at http://localhost:8080/. We can deploy the same application on various server platforms like EC2, DigitalOcean, and Google Cloud Platform™.
SQL Injection
SQL injection takes advantage of a vulnerability in an application's database layer. An adversary can use this attack to read data that isn’t accessible under normal operations. A SQL injection can cause:
- Loss of user credentials, like usernames and passwords
- Loss of financial information, like credit card numbers, transaction details, and more
- Modification or deletion of data with non-trackable changes
- Reputational damage
- Regulatory fines
Note that SQL injection isn’t caused by database infrastructure. Rather, it’s caused by overlooked practices in application database integration.
Searching the zip code 21230 in the Vulnerable-Directory application results in the following output:
The application lists only records matching the zip code. Therefore, searching the zip code 20100 results in no records.
Let’s now try an SQL injection. Search for: 20100' or '1' = '1. Note the 1=1 statement always evaluates as true. The true clause causes the database to ignore the user-specified zip code. As a result, all information displays:
Yikes. Look at all the available information that’s supposed to be protected.
Introducing Trend Micro Cloud One™ – Application Security
You can fix vulnerabilities like the one in our sample application by deploying adequate code fixes. However, when an application is already under attack, you don’t have enough time to deploy these fixes.
Thankfully, Application Security can automatically guard against these vulnerabilities. The solution detects, alerts, and prevents any exploits in the application until a fix is available.
Let’s walk through how to deploy our RASP solution with minimal changes to your application. To do this, you need a free Trend Micro Cloud One™ account. After logging in, you’ll see all seven security services available on the platform. For this demo, we’ll use the Application Security dashboard.
The Application Security dashboard enables us to configure security guidelines. That is, policies in logical units called groups. Each group is associated with an API key and an API secret. These can enforce an application's group-attached security policies.
We’ll need to create a group that the deployed application will use. After creating the group, we’ll find the required credentials in the configuration view.
The group policy dashboard lists all enabled policies. Each of these enabled policies is in one of the following two modes:
- Report: Application Security detects and alerts all policy violations
- Mitigate: Application Security detects, alerts, and blocks all policy violations
Each policy is configured with a default ruleset. The policy dashboard provides capabilities to update the policy rulesets. To avoid false alerts, we’ll update a policy rule set to allow intended invocations of the respective policy.
Enable Security
Application Security non-intrusively protects Java applications. We can add its Java agent to the deployed application start command. The agent uses Java Instrumentation to capture application invocations, analyze arguments like SQL statements and file locations, and perform necessary actions.
java -javaagent:./trend_app_protect-4.3.5.jar -
Dcom.trend.app_protect.config.file=./trend_app_protect.properties -jar
provider-search-0.0.1-SNAPSHOT.jar
[TREND APP PROTECT] Loading config from
file:/home/ubuntu/./trend_app_protect.properties
Additionally, we need to configure the agent with Application Security group credentials. We’ll do this by creating a properties file with the following details, then passing its location in the com.trend.app_protect.config.file JVM parameter.
key = YOUR_KEY
secret = YOUR_SECRET
Capture Vulnerabilities
The updated application doesn’t change its intended behavior. We can search for zip code without any change in results.
We’ll perform the SQL injection using: 20100' or '1' = '1. The operation will still succeed, but Application Security captures the exploit and raises alerts in the dashboard. It captures detailed information with every event, like the SQL statement, time, and client IP.
We can block all attacks by updating the policy configuration to "Mitigate" mode. We can toggle this mode from the group policy configuration page. After the mode change, the search operation results in the following output:
We can also customize the blocked message from the policies settings page.
Next Steps
A large percentage of enterprise applications run on legacy architecture, such as virtual machines, therefore application security is often an afterthought.
To protect enterprises, their users, and sensitive client information, applications need to identify and block vulnerabilities for developers to fix. Application Security automatically detects, alerts, and blocks these application vulnerabilities.
To learn more about how Application Security helps catch unexpected security issues, try it for free and check out the documentation.
