Companies looking to protect their Web applications from SQL injection attacks typically install a firewall in learning mode and train it to recognize attacks. It's not a perfect solution, but it's been the best available.
But now Dublin-based vendor Waratek claims to have completely solved the problem with a cutting-edge approach that Gartner calls Runtime Application Self-Protection.
"Initially, we were pretty skeptical," said Eoin Keary, founder of BCC Risk Advisory, also based in Ireland.
Keary has been a global board member of the Open Web Application Security Project for five years and wrote the OWASP Code Review Guide.
"My company was asked by Waratek to assess their solution and try to break the software," he said. "We break software very well. We used very advanced contractors, attack vectors to bypass firewalls, the types of attack vectors used by very advanced exploitation attempts."
These attempts to break the Waratek protection failed.
"Overall, it did appear to work -- which is very surprising to us," Keary said.
Waratek takes a very unusual approach to protecting web applications from SQL injections, skipping whitelisting and blacklisting altogether.
According to Gartner, fewer than 1 percent of Web and cloud applications use this self-protecting technology today, but the research firm predicts that this number will grow to 25 percent by 2020.
The way Waratek's implementation works is that it sits inside the Java Runtime Environment and watches the application to see what it's going to do with received data.
"All the existing applications only see half of that," said Waratek CEO Brian Maccaba. "They don't know for certain what the data stream is going to do, which leads to high levels of inaccuracy."
By eliminating the gigabytes of false-positive logs, the self-protection approach saves security administrators a great deal of time and allows more legitimate traffic to get through.
"Blocking legitimate traffic is pretty much a career-terminating event," said BCC's Keary.
By moving the protection to the application itself, the attack surface is also reduced, Maccaba added.
"That's why we've been able to achieve 100 percent accuracy in every test we've conducted," he said. Those include not just the BCC Risk Advisory testing, but also tests by Deutsche Bank, a Waratek customer.
In addition to blocking the SQL injection attack, the application also collects forensics information, such as the exact character sequence that compromised the SQL query, the remote IP address, login, session ID and cookie data of the attacker, and the URL path under attack.
Waratek's SQL injection protection can be used during the development cycle, to test applications while they are being written. But it can also be installed around existing applications, without touching any of their code.
Today, it only works on applications that can run inside Java Virtual Machines, which is mainly Java but also a number of other languages, such as JPython and JRuby.
"In the future, we plan to apply the technology to .Net, which is similar to JVM," Maccaba said. "And the footprint of Java and .Net combined on the server side is about 90 percent for server-side applications."