As companies consider their application security posture, it is critical to remember that breaches can come from both outside and inside the company and its trust boundaries. Internal threats require just as much protection as external risks.
While the Verizon 2016 Data Breach Investigations Report confirms that the most significant threats to a company is from external actors (roughly 80% in 2015), it remains critical to protect your assets from internal threats as well. Insiders and those with privileged access (such as supply chain partners) have unique admission into your system—they may purposely attack the system or collude with an outside attacker to do so, or they may accidentally provide access without any ill intentions.
One big challenge for protecting against internal threats is that an internal attacker likely has a higher level of understanding of the application they are attacking. Because the reality is that when an attack comes from inside, it may come from a developer. This insidious threat may even be because a developer purposefully left a vulnerability in the application with the plan of later exploitation.
Protection from the inside
Runtime application self-protection (RASP) is one of the best technologies to protect your applications from all threats, even from the inside. That is because it is easy to deploy across all your applications, internal and external, and it provides all the applications the same high level of protection.
Web application firewalls, for example, are limited in their ability to protect against internal threats. They are cumbersome and expensive to deploy, which means that often companies only use them to protect really high value assets, leaving others vulnerable.
Static analysis is also cumbersome and has the added challenge, in this case, of requiring input from a developer to be truly effective. Static analysis may identify the bugs in the system, but it still requires a developer to fix them.
RASP technology protects the whole system, from threats internal and external, without active developer involvement. It also protects any vulnerabilities it discovers until they can be fixed, no matter how long that may take.
There are applications within your organization available only to insiders, employees or partners on your internal network. Historically companies have not spent much time thinking about the need to protect themselves from these players. Companies that include insider threats in a complete risk profile realize the need to protect their web applications from all angles. RASP provides that protection without extra work and without casting any of your employees or partners as potential attackers.
