How Data Theorem Brings Full-Stack Security to Multi-Platform Web Apps

eWEEK PRODUCT TEST AND REVIEW: As more and more enterprises move to the DevOps model to accelerate the development of software, many are finding that application security is often an afterthought. Data Theorem aims to bring visibility, control, and security to cloud applications.

Data.Theorem.door

Many enterprises are going through the throws of digital transformation to expedite their movement into the cloud. However, with transformation comes challenges, namely in the form of reengineering applications that are not only efficient, but also secure. Palo Alto-based Data Theorem aims to proactively secure enterprise applications with its suite of products that potentially redefine what enterprise security is all about.

The Data Theorem approach

Data Theorem is taking a different approach to the cybersecurity problem and has created an integrated suite of services that bring automated security to the full application stack. The company took a long, hard look at the types of cyber issues many enterprises are facing today and discovered several inconvenient truths. For example, research revealed that 73% of enterprises are currently unable to remediate cloud-native application issues. What’s more, research reveals that it can take businesses as long as six months to detect a data breach. Simply put, those two statistics can spell big trouble for today's enterprise, translating into a sobering conclusion in which a business can take far too long to discover a data breach and then is ill-equipped to remediate the issues that led to the breach itself.

Many enterprises are attempting to deal with those application security issues with multiple tools, dedicated staffers, and numerous intelligence sources, yet are still failing to keep critical applications and the associated data secure. Data Theorem dived into solving those problems by creating a platform of security tools that leverage automation, along with continuous validation and protection, which is offered as software as a service (SaaS).

The company’s full-stack application security solution offers security teams automated analysis and testing of modern applications, along with the associated APIs, cloud services, web frameworks, microservices, containers and so on. Ultimately, Data Theorem’s combination of automation, vulnerability scanning, application security testing and the ability to look at the full stack brings new meaning to the term web application security testing (appsec).

*Data Theorem offers intuitive dashboards that organize information into actionable data

A closer look at Data Theorem components     

Data Theorem offers multiple products / services which span the complete threat surface of current applications. The three primary service offerings are Mobile Secure, API Secure and Web Secure. As indicated by the names, each one of those services offers a setup of tools that are designed to address the security issues of its namesake.

Mobile Secure is designed to address the numerous security issues presented by devices and applications that fit into the moniker of “mobile devices,” a broad category that not only involves Android and iOS applications, but also the underlying technology and API services used by those devices--hence the concept of full-stack protection.

Data.Theorem.graphic

Basically, Mobile Secure analyzes and secures modern applications to prevent data breaches using automation, along with machine intelligence to lessen the burden on both developers and the cybersecurity professionals that work in an organization. Using Mobile Secure is surprisingly straightforward and basically starts with uploading subject applications into Data Theorem’s Analyzer Engine. The analyzer examines submitted applications, checks for backend APIs, third-party SDKs and libraries and subjects the application to static and dynamic analysis without the use of jail-broken devices. This is a critical differentiator, because theoretical vulnerabilities and low-probable exploits often waste time of development teams and hamper DevSecOps efforts.

Mobile Secure can directly look at binaries in App Stores, or users can manually upload applications, or even further automate application analysis via scripts that can integrate with Jenkins or other CI/CD pipeline management tools. In other words, Mobile Secure can be integrated directly into a build pipeline, bringing much-needed automation to the security elements of application creation and delivery.

Submitted binaries are put through an extensive set of security tests, including compliance validations, regional requirements, and numerous other checks, which can be driven by custom scripts. The analysis process is used to create alerts, remediation tips, as well as comprehensive reports that show the “health” of the submitted application. Mobile Secure also has the ability to further drive remediation by offering secure code snippets as well as other critical information, which can be delivered via Slack or other team communications applications.

Mobile Secure eliminates much, if not all, of the manual work that was expected by developers to secure mobile applications, allowing them to integrate full-stack security directly into the build lifecycle. What’s more, the service offers instant results on policy violations, compliance issues, or even fraudulent applications listed in third-party app stores.

API Secure, as the name implies, is a service that identifies potential attack surfaces that are created by APIs. The service scans for APIs, attempts to hack those APIs, and also discovers shadow APIs across an enterprise. Identifying and securing APIs has become one of the most critical steps for proper cybersecurity hygiene, especially since today’s applications can use hundreds of different APIs, some of which may be specific to particular endpoints, or unintentionally introduced during the installation of new SDKs, open source libraries and cloud-native microservices.

API Secure is designed to be mostly hands off, meaning that the service continuously scans and inspects APIs for problems. Initially, API Secure goes through a discovery process to identify all APIs; all discovered APIs are put through an inspection process that includes a deep-dive security analysis. Once the analysis is completed, API Secure offers recommendations on how to remediate discovered vulnerabilities.

The continuous discovery process inventories all apps, APIs and gateways. Cloud assets and infrastructure elements are also discovered, as well as application building blocks. The discovery and inventory process also create asset groupings, bringing a visual element to the API ecosystem. One of the most powerful capabilities of API Secure is its ability to detect and identify shadow assets, which consist of APIs or cloud resources that IT Managers were unaware of. Shadow assets are sometimes used as the avenue to perform a breach.

API Secure brings continuous security to the subject environment and is further automated by defining security policies, which are used to check asset groups. Particular asset groups may undergo frequent updates and changes driven by application release cycles or other factors. API Secure gives the ability to define policies that check those asset groups more frequently.

API Secure does more than just detect API vulnerabilities, the service also actively exercises enforcement tests by executing injection attacks, evaluating traffic for leaky data, including PII/PFI/PHI, along with analyzing layers 4 through 7 for vulnerabilities. API Secure effectively closes many of the API “loopholes” that attackers have come to rely upon to infiltrate systems. Since API Secure is highly automated and offers continuous protection driven by policies, both developers and cybersecurity professionals can rest a little easier knowing that automated protection is available.

However, no one will be left in the dark as to what is occurring. API Secure offers alerts via Slack, can drive the remediation process via Jira, Jenkins or other workflow/pipeline tools and also can perform automatic remediation. 

Web Secure is a service that builds upon the lessons learned by securing mobile applications and APIs and is a full stack analyzer of web applications built on modern application stacks, such as JavaScript React, Angular, Vue and others modern technologies like GraphQL, which have come to be known as single page web apps (SPAs).

SPAs have become the norm for organizations leveraging cloud-native web and have increasingly become an attack surface for cyberattacks. Protecting SPAs has become increasingly complex due to the nature of how SPAs are developed, delivered and accessed. 

Hackers primarily look to compromise SPAs by focusing on flaws in authentication, authorization, encryption and availability of the target. Protecting SPAs is further complicated by the fact that there may be hundreds of embedded APIs executed on the backend microservices, containers, and other technologies used to bring functionality to the SPA. 

Web Secure, like Data Theorem’s other offerings, functions as a service to bring cybersecurity focused tools to enterprises, however Web Secure is squarely aimed at solving the numerous cyber security issues that SPAs can introduce, such as GraphQL auth exploits and misconfiguration of serverless cloud functions. What’s more, Web Secure also brings automation and advanced analysis into the application development and delivery cycle, further protecting applications. 

Getting started with Web Secure requires onboarding of applications into the service. Applications are onboarded using several different methods, which, for the most part, are automated. Web Secure also does auto-discovery of public internet services and can be integrated directly into CI/CD tools. Data Theorem also offers a secure API for authentication tokens, further helping to automate the web app onboarding process. For the most part, the discovery process is automated and SPAs are inventoried and organized into asset groups, which allow administrators to define priorities, while also having a better visualization of the connections between client code, APIs and the underlying cloud environment.

Once the web applications are onboard, the Data Theorem analyzer aggressively “attacks” the applications, APIs and other elements to determine if there are security flaws. These unique attack surface management (ASM) capabilities use various external vectors that mimic what an actual attacker may do. Behind the scenes a headless browser mimics actions, while both static and dynamic analysis is performed. The analyzer also performs additional SPA and API analysis, along with some cloud security posture management (CSPM) analysis, while also checking for compliance issues.

Analysis is automated and can accomplish in minutes what would normally take hours to do if done with human intervention. Backend APIs and cloud services are also scanned and analyzed on a continuous basis. The level of automation used by both the discovery and analysis process is impressive, reducing the burden on cybersecurity staffers as well as application developers.

Web Secure performs a full inspection of applications and associated resources, while also enforcing custom policies that can be defined by the security team. The incorporated Security Toolkits can check numerous attack vectors, such as SQL Injection, look for hard-coded credentials, cross site scripting flaws and several other issues. These attack toolkits focus on layers 4 through 7 for exploitable vulnerabilities.

Analysis and inspection are only one part of the process, the data gathered is also used to create reports, recommended actions, and create a visualization of the detected problems. The system can assign levels of urgency to detected problems, as well as automatically notify concerned parties via email, Slack, MS Teams, or other workgroup enablement tools. What’s more, integration with CI/CD tools can further automate the processes and ensure that nothing falls through the cracks.

Conclusions

Data Theorem has created services that can significantly reduce the burden that cybersecurity places on enterprises, especially those that develop applications in-house as part of the journey towards a hybrid cloud environment. The ability to integrate the tools with CI/CD and workflow systems should bring much-needed relief to those struggling to put security into DevOps and achieve practical DevSecOps. Extensive automation and continuous checking further reduces the burdens on IT, while also better securing enterprises. What’s more, Data Theorem goes a long way toward slaying the beast of compliance, with which so many enterprises have come to struggle.

Data Theorem brings forth critical capabilities that are sorely needed as enterprises push further into the cloud and strive for competitive edges. The company earns high marks for its suite of services and the ease of integration, automation, discovery, analysis, and remediation capabilities offered. 

Reviewer Ratings: (Scale of 0 through 5)

Automation Capabilities: 5 out of 5

Discovery Process: 4.5 out of 5 

Ease of Integration: 4 out of 5

Analytics: 5 out of 5

Remediation: 4.5 out of 5  

--------------------------------------------------------

Frank Ohlhorst is a veteran IT product reviewer and analyst who has been an eWEEK regular for many years.