Comparing Effectiveness and Efficiency of Interactive Application Security Testing (Iast) and Runtime Application Self-Protection (Rasp) Tools in A Large Java-Based System

Seth, Aishwarya; Bhattacharya, Saikath; Elder, Sarah; Zahan, Nusrat; Williams, Laurie

doi:10.2139/ssrn.4306114

Cited by 2 publications

(1 citation statement)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Its utility has expanded to encompass business API security through feature matching, policy rules, parameter validation, and compliance assessments [39]. However, it is essential to recognize that WAF fundamentally functions as a traffic and content inspector, primarily focusing on input requests and employing rudimentary pattern matching to detect potentially malicious activities [40]. Regrettably, its protective efficacy often experiences limitations in terms of precision and fails to fully address the intricate business security scenarios elucidated above.…”

Section: Solutionsmentioning

confidence: 99%

Leaving the Business Security Burden to LiSEA: A Low-Intervention Security Embedding Architecture for Business APIs

Li,

Wang

et al. 2023

Applied Sciences

View full text Add to dashboard Cite

In the evolving landscape of complex business ecosystems and their digital platforms, an increasing number of business Application Programming Interfaces (APIs) are encountering challenges in ensuring optimal authorization control. This challenge arises due to factors such as programming errors, improper configurations, and sub-optimal business processes. While security departments have exhibited proficiency in identifying vulnerabilities and mitigating certain viral or adversarial incursions, the safeguarding of comprehensive business processes remains an intricate task. This paper introduces a novel paradigm, denoted as the Low-Intervention Security Embedding Architecture (LiSEA), which empowers business applications to enhance the security of their processes through judicious intervention within business APIs. By strategically incorporating pre- and post-intervention checkpoints, we devise a finely grained access control model that meticulously assesses both the intent of incoming business requests and the outcomes of corresponding responses. Importantly, these advancements are seamlessly integrated into the existing business codebase. Our implementation demonstrates the effectiveness of LiSEA, as it adeptly addresses eight out of the ten critical vulnerabilities enumerated in the OWASP API Security Top 10. Notably, when the number of threads is less than 200, LiSEA brings less than 20 msec of latency to the business process, which is significantly less than the microservice security agent based on the API gateway.

show abstract

Section: Solutionsmentioning

confidence: 99%