Community Research and Development Information Service - CORDIS

H2020

HDIV Report Summary

Project ID: 696973

Periodic Reporting for period 1 - HDIV (HDIV: SELF-PROTECTED WEB APPLICATIONS)

Reporting period: 2015-11-01 to 2016-10-31

Summary of the context and overall objectives of the project

The main objective of HDIV project is to accelerate the introduction into the worldwide market of the HDIV product suite, a set of web application security products based on the first worldwide demonstrated technology aimed at creating self-protected web applications and web services rather than securing them. This technology will contribute towards solving the important threats based on web application weaknesses faced by the cyber security field, eliminating or mitigating web security risks by design.

The introduction into the market of HDIV will lead to the achievement of the following SPECIFIC OBJECTIVES:
• To increase the protection and cyber resilience of critical infrastructures against web application based cyber-attacks, protecting them against 7 out of the top 10 current threats faced in the Critical Infrastructure area (including the two main threats).
• To contribute to a more secure Internet and information society, by raising the protection against cyber-attacks based on web application vulnerabilities to levels never achieved before. The massive introduction into the market of HDIV will be an important step in completely protecting web applications from cyber-attacks. HDIV will repel 90% of the top 10 critical web risks defined by OWASP , increasing the protection level from 25% to 45% in comparison with the current most advanced technologies in web application security and solving other limitations present in these existing solutions.
• To provide a flexible, automatic, simple, portable and cost effective web application protection. Apart from the effectiveness of the tool (higher security levels provided), there are other characteristics of HDIV which make it a unique product to resolve web security risks:
o It is a highly flexible solution which can be applied during the application development phase or once the applications have been developed (and it is therefore valid for existing web applications or for new ones).
o It is a fully automatic solution providing automatic protection functionalities both during the web application development and also once the applications are running (there is no need for any intervention from the end user).
o It will simplify and improve the performance of current web security approaches that are usually based on the integration of a firewall (WAF solutions- comprised of hardware + software) and software (RASP, and AST tools). HDIV integrates both approaches into a software solution (all in one) simplifying the purchase, implementation and operation of the security solution.
o It will make web security portable: The application of HDIV in the web application development phase makes it to be integrated within the resulting web application, making the solution fully portable and suitable also for cloud deployments.
o It will be a cost effective solution: The solution will be more affordable than current competing solutions, with savings of up to 60% depending on the chosen product type and configuration.
• To make web protection universal: HDIV will be applicable to any web application, belonging to critical infrastructures, to large or small companies of any sector, to private web applications and blogs, mobile applications, Internet of Things etc.

Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far

During this first year, HDIV project has been focused mainly in the following goals:
- WP1: based on ensuring the effective and smooth implementation of the proposed project, this work package has been centered on establishing and implementing the necessary internal project management procedures, carrying out an affective technical, financial, administrative and legal management during this period and dealing with the necessary coordination and communication with the European Commission.
- WP2: the advanced funcionalities for Java platform are already available and they are used currently in production environments.
- WP3: the first version of HDIV for .NET (Task 3.1 Layer1 & Layer2) has been published and very important advanced functionalities for .net have been completed such as advanced scalability, vulnerable software detection and alerts.
- WP4: finished products are already in the market so we have packaged them, following the original plan starting with Java and continuing with .NET platform.
- WP5: the advisory board pilots are working since almost the beginning of the project (Java) and we have added the .Net delirables afterwards. The massive validation has been started using the web site trial requirements.
- WP6: this work package is centered mainly in dissemination events. The most relevan ones are: Cybercamp 2015, Spring I/O 2016, ENISE 2015 and content generation for social networks.

Moreover ARIMA-HDIV SECURITY have detected a significant interest on compliance aspects, particularly in the PCI DSS regulation related to payment systems.

Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far)

This industrial, economic and social problem sets the ground for an important business opportunity from HDIV SECURITY (Spanish SME specializing in software design and software architecture) expect to take advantage thanks to its novel technology: HDIV, the solution for self-protected Web Applications

On balance, HDIV is a web security solution applicable to any web application or service, and therefore the market for HDIV is the whole web application market. Key market sectors for HDIV are those that have strong security requirements, firstly critical infrastructures (government, healthcare, banking/finance, IT infrastructures, energy suppliers, etc.), but also other sectors highly exposed to cyber security threats such as retail.

To conclude and in order to explain the innovation level offered by HDIV is important to analyze the existing risks. Basically there are two kind of security risks:
• Security bugs: they can be detected by AST tools and represents a specific issue within a file and specifi line. In other words, they follow a common pattern that is exactly the same in all clients.
• Business logic flaws or design flaws: those risk can not be detected by tools and must be detected by manual pen-testing.

Today there is only one solution in the market that can protect from the software development lifecycle: HDIV. It represents a huge innovation, more if we take into account that it can be applicable to REST based APIs.

Furthermore HDIV does not present the traditional issues presented by WAF solutions such as false positives and high implementation cost, thanks to the integrated approach used by Hdiv that does not require learning processes and eliminate the false positives thanks to the integration within the development phase.

HDIV is the all-in-one solution integrating the best of AST, RASP and WAF approaches in the same solutions within the SDLC, and without the traditional issues

Related information

Record Number: 198198 / Last updated on: 2017-05-17