Periodic Reporting for period 2 - HDIV (HDIV: SELF-PROTECTED WEB APPLICATIONS)
Periodo di rendicontazione: 2016-11-01 al 2017-10-31
The main objective of HDIV project has been the introduction into the worldwide market of the HDIV product suite, a set of web application security products based on the first worldwide demonstrated technology aimed at creating self-protected web applications and web services rather than securing them. This technology now contributes towards solving the important threats based on web application weaknesses faced by the cyber security field, eliminating or mitigating web security risks by design. The following objectives have been achieved:
•To increase the protection and cyber resilience of critical infrastructures against web application based cyber-attacks, protecting them against 7 out of the top 10 current threats faced in the Critical Infrastructure area (including the two main threats).
•To contribute to a more secure Internet and information society, by raising the protection against cyber-attacks based on web application vulnerabilities to levels never achieved before. HDIV repeals 90% of the top 10 critical web risks defined by OWASP , increasing the protection level from 25% to 45% in comparison with the current most advanced technologies in web application security and solving other limitations present in these existing solutions.
•To provide a flexible, automatic, simple, portable and cost effective web application protection. Apart from the effectiveness of the tool, there are other characteristics of HDIV which makes it a unique product to resolve web security risks:
-Highly flexible solution which can be applied during the application development phase or once the applications have been developed (and it is therefore valid for existing web applications or for new ones).
-Fully automatic solution providing automatic protection functionalities both during the web application development and also once the applications are running (there is no need for any intervention from the end user).
-Simplifies and improves the performance of current web security approaches that are usually based on the integration of a firewall (WAF solutions- comprised of hardware + software) and software (RASP, and AST tools). HDIV integrates both approaches into a software solution (all in one) simplifying the purchase, implementation and operation of the security solution.
-It makes web security portable: The application of HDIV in the web application development phase makes it to be integrated within the resulting web application, making the solution fully portable and suitable also for cloud deployments.
-Cost effective solution: The solution will be more affordable than current competing solutions, with savings of up to 60% depending on the chosen product type and configuration.
•To make web protection universal: HDIV is applicable to any web application, belonging to critical infrastructures, to large or small companies of any sector, to private web applications and blogs, mobile applications, Internet of Things etc.
Thanks to this project we have created a new company, Hdiv Securuty, focused 100% on the Hdiv products portfolio, generating a great interest of leader investors such and gaining traction in the market with significant customers. After the execution and the market test performed during the project we can assure that Hdiv Security has a great position in the market and can fill the gaps that we defined in the beginning of the project. Thanks to our collaboration with Gartner, we have confirmed that Hdiv solution covers the gaps confirmed by Gartner within AST and WAF categories, covering business logic flaws protection without learning processes and integrated within the SDLC.
•To increase the protection and cyber resilience of critical infrastructures against web application based cyber-attacks, protecting them against 7 out of the top 10 current threats faced in the Critical Infrastructure area (including the two main threats).
•To contribute to a more secure Internet and information society, by raising the protection against cyber-attacks based on web application vulnerabilities to levels never achieved before. HDIV repeals 90% of the top 10 critical web risks defined by OWASP , increasing the protection level from 25% to 45% in comparison with the current most advanced technologies in web application security and solving other limitations present in these existing solutions.
•To provide a flexible, automatic, simple, portable and cost effective web application protection. Apart from the effectiveness of the tool, there are other characteristics of HDIV which makes it a unique product to resolve web security risks:
-Highly flexible solution which can be applied during the application development phase or once the applications have been developed (and it is therefore valid for existing web applications or for new ones).
-Fully automatic solution providing automatic protection functionalities both during the web application development and also once the applications are running (there is no need for any intervention from the end user).
-Simplifies and improves the performance of current web security approaches that are usually based on the integration of a firewall (WAF solutions- comprised of hardware + software) and software (RASP, and AST tools). HDIV integrates both approaches into a software solution (all in one) simplifying the purchase, implementation and operation of the security solution.
-It makes web security portable: The application of HDIV in the web application development phase makes it to be integrated within the resulting web application, making the solution fully portable and suitable also for cloud deployments.
-Cost effective solution: The solution will be more affordable than current competing solutions, with savings of up to 60% depending on the chosen product type and configuration.
•To make web protection universal: HDIV is applicable to any web application, belonging to critical infrastructures, to large or small companies of any sector, to private web applications and blogs, mobile applications, Internet of Things etc.
Thanks to this project we have created a new company, Hdiv Securuty, focused 100% on the Hdiv products portfolio, generating a great interest of leader investors such and gaining traction in the market with significant customers. After the execution and the market test performed during the project we can assure that Hdiv Security has a great position in the market and can fill the gaps that we defined in the beginning of the project. Thanks to our collaboration with Gartner, we have confirmed that Hdiv solution covers the gaps confirmed by Gartner within AST and WAF categories, covering business logic flaws protection without learning processes and integrated within the SDLC.
During the project, first we have consolidated the support for Java platforms developing advanced functionalities such as the support for APIs protection, Ip Reputation, Vulnerable software detection, alerts and advanced scalability.
Secondly we have extended the support for Microsoft .NET platform, including within our portfolio detection and protection capabilities for .NET platform as well. As we did within Java platforms we have developed the same advanced functionalities.
All the products has been packaged during the project, including a cloud infrastructure composed of a SaaS web console, and support for cloud deployments for applications, including platforms such as Amazon EC2, CloudFoundry and docker containers.
Secondly we have extended the support for Microsoft .NET platform, including within our portfolio detection and protection capabilities for .NET platform as well. As we did within Java platforms we have developed the same advanced functionalities.
All the products has been packaged during the project, including a cloud infrastructure composed of a SaaS web console, and support for cloud deployments for applications, including platforms such as Amazon EC2, CloudFoundry and docker containers.
Hdiv solution covers 2 of the most important gaps in the state of the art:
•Business logic flaws protection (the other half)
There are 2 kinds of application security issues: security bugs (syntax issues) and business logic flaws or design flaws. The first one, are security syntax issues included in the code that can be detected by tools, as they are the same in any kind of environments. The second one does not follow the same pattern and they are totally different depending the domain of the application, so they can not be detected by tools and they must be detected manually during the development or within the production environment afterwards.
Hdiv protects from this kind of risks implementing an automated real-time whitelisting generation that protects from this kind of risk, without using any learning process that traditionally represents high implementation cost and false positives.
•Adaptability to new technologies
Other important trend that we had considered is the new ways to develop applications. During the past 5 years and regarding web applications, we have moved from a server side approach where the HTML is generated at server side, to a client side architecture where the server side is limited to generate data and is the client side which renders the screen at client side.
This programming architecture change has represented a huge challenge to WAF solutions that work externally from the applications that try to understand the legal behaviour of the applications analysing the generated HTML. In the new architectural model, there is not HTML generated from the server side anymore and many WAFs solutions do not know how to manage this new scenario. In addition, the deployment architectures have changed dramatically, moving clearly to a cloud infrastructure where traditional appliance based (hardware) or in the best case virtual machines do not work properly.
Hdiv is able to integrate within the technology used to developed APIs, understanding the context and source of each piece of data, implementing the necessary validations to protect APIs.
Besides the technical improvement which HDIV has brought it is also important to underscore the wider impact that cybersecurity brings to society. Solutions like ours facilitate the exchange of critical data through the web and facilitate the uptake of the digital society. As an example, during the project we have collaborated with different enterprise and organization such as government and retail organizations implementing our solution, and they have been able to protect more thousands of applications during the project. This was a critical area for their business, and therefore, HDIV is now a market ready solution. The new company founded thanks to the project counts with interesting metrics already and will expand their activities with new rounds of investment in the short-term
•Business logic flaws protection (the other half)
There are 2 kinds of application security issues: security bugs (syntax issues) and business logic flaws or design flaws. The first one, are security syntax issues included in the code that can be detected by tools, as they are the same in any kind of environments. The second one does not follow the same pattern and they are totally different depending the domain of the application, so they can not be detected by tools and they must be detected manually during the development or within the production environment afterwards.
Hdiv protects from this kind of risks implementing an automated real-time whitelisting generation that protects from this kind of risk, without using any learning process that traditionally represents high implementation cost and false positives.
•Adaptability to new technologies
Other important trend that we had considered is the new ways to develop applications. During the past 5 years and regarding web applications, we have moved from a server side approach where the HTML is generated at server side, to a client side architecture where the server side is limited to generate data and is the client side which renders the screen at client side.
This programming architecture change has represented a huge challenge to WAF solutions that work externally from the applications that try to understand the legal behaviour of the applications analysing the generated HTML. In the new architectural model, there is not HTML generated from the server side anymore and many WAFs solutions do not know how to manage this new scenario. In addition, the deployment architectures have changed dramatically, moving clearly to a cloud infrastructure where traditional appliance based (hardware) or in the best case virtual machines do not work properly.
Hdiv is able to integrate within the technology used to developed APIs, understanding the context and source of each piece of data, implementing the necessary validations to protect APIs.
Besides the technical improvement which HDIV has brought it is also important to underscore the wider impact that cybersecurity brings to society. Solutions like ours facilitate the exchange of critical data through the web and facilitate the uptake of the digital society. As an example, during the project we have collaborated with different enterprise and organization such as government and retail organizations implementing our solution, and they have been able to protect more thousands of applications during the project. This was a critical area for their business, and therefore, HDIV is now a market ready solution. The new company founded thanks to the project counts with interesting metrics already and will expand their activities with new rounds of investment in the short-term