Instrumentation Recognized by NEW NIST Standards
The National Institute of Standards and Technology (NIST) Cybersecurity Framework is relatively new. After President Obama signed an executive order mandating the creation of such a standard in February 2013, a task force worked methodically over the next year before releasing version 1.0 in February 2014. But NIST standards were never intended to be static. Rather, they are designed to adapt to advances in technology and the evolution of the threat landscape. As a result, updates are always in process. Version 1.1 was released in 2018, and the agency is drafting a new round of revisions in 2020.
These revisions contain two new standards of interest to developers and application security (AppSec) teams. Specifically, a new draft Special Publication, NIST SP 800-53 Revision 5, has the following new requirements:
- SA-11(9), which covers Interactive Application Security Testing (IAST; page 271)
- SI-7(17), which covers Runtime Application Self-Protection (RASP; page 339)
While organizations seek to secure their applications and address compliance, two notable quotes appear directly in these two NIST 800-53 standards:
- Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results.
- Implement [Assignment: organization-defined controls] for application self-protection at runtime.
The addition of these requirements by NIST is a recognition that security instrumentation is critical to assessing the security risk of specific software vulnerabilities. Additionally, instrumentation empowers developers to build and release secured applications that are protected from errors or malicious activity—all while removing code halt delays for manual line-by-line security testing. This, of course, increases the speed and volume of release cycles. Overall, an AppSec approach using instrumentation makes applications more resilient to cyberattacks, limits the damage that attacks can inflict, and protects the security and privacy of sensitive information.
IAST solutions have proven their value for organizations looking to:
- Detect vulnerabilities with instrumentation to observe applications as they run during testing
- Use application runtime instrumentation to assess the security of code, user interaction, libraries, frameworks, backend connections, and configurations
- Identify a broad range of potential vulnerabilities and confirm control effectiveness
- Perform continuous and real-time application security assessment throughout the software development life cycle
RASP technology has enabled companies to:
- Detect and block the exploitation of software vulnerabilities
- Differentiate attack attempts (probes) from attacks that can impact applications—unlike perimeter-based web application firewalls (WAFs)
- Reduce attacks by monitoring application inputs and blocking inputs that could allow attacks
- Protect the application runtime environment from unwanted changes and tampering
- Prevent exploitation and take other actions (alerts, containment, terminations)
- Improve agility with deployment options of monitor and protection modes
NIST As Influencer for other standards
The NIST Cybersecurity Framework is quickly becoming the default standard used in the public and private sectors in the United States. All U.S. federal government agencies are now mandated to comply with NIST, and many state, local, territorial, and tribal governments have followed suit. In the private sector, it is projected that 50% of U.S. organizations will be following the NIST framework by the end of this year.
Partly as a result of this wide adoption, these new NIST requirements will be very influential as a baseline for other industry security standards. As a result, organizations that rely on other standards such as the North American Electric Reliability Corporation (NERC), the Federal Information Security Management Act of 2002 (FISMA), or the Federal Risk and Authorization Management Program (FedRAMP) can expect those frameworks to add IAST and RASP requirements in the near future. Fortunately, companies that must comply with Payment Card Industry (PCI) standards may have a head start, as both the Data Security Standard (PCI DSS) and the new Software Security Framework (PCI SSF) already discuss both IAST and RASP instrumentation.
Security Instrumentation Provides DevOps-Native Protection
Notably, the new NIST 800-53 guidelines point to security instrumentation because of its DevOps-native ability to detect vulnerabilities and to differentiate attacks from unsuccessful attack attempts. At the same time, instrumentation helps identify the exact moment an attack can impact code and application reliability, helping AppSec teams to prioritize response. Without it, AppSec teams can quickly be overwhelmed by alert noise generated by the 500 cyber threats that emerge every minute, missing damaging attacks while combing through false positives and low-risk alerts.
Using NIST-recommended instrumentation, IAST performs continuous and real-time application security assessment while RASP adds defense-in-depth protection beyond the limited visibility of Layer 7 network analysis. Embedded security instrumentation in the runtime understands and sees context, assesses security impacts, and determines when or if an attack can even impact the underlying system by distinguishing probes from exploits. This significantly reduces both false positives and false negatives—thereby reducing alert noise, operations team fatigue, and staff time spent dealing with security issues.
Contrast Security and NIST-Compliant Modern Instrumented AppSec
These new standards are a recognition that legacy AppSec tools and processes are simply not getting the job done in today’s fast-moving threat landscape. Alert noise threatens to hamper the remediation of truly risky vulnerabilities, while slow, line-by-line approaches to vulnerability scanning can significantly lengthen time to market. Now that NIST has provided guidance through its revised 800-53 standards, organizations should adopt them as soon as possible.
Contrast Security specializes in instrumentation-based IAST and RASP solutions, as well as an instrument-based open-source security (OSS) third-party library assessment. This provides for a complete and unified, instrumented AppSec platform. Instrumentation-based AppSec replaces traditional “team-and-tool-soup” guesswork with accurate, transparent, and DevOps-native security. This security extends across the entire application attack surface—and the full software development life cycle—so teams can produce more secure code with accelerated speed and agility.
As a single instrumented platform offering or as separate instrumented solutions, NIST-compliant Contrast solutions save security and DevOps teams significant time by speeding up the rollout of software releases due to embedded and integrated security instrumentation. This enables development teams to:
- Automate vulnerability identification and risk assessments
- Automate runtime verification of developer remediation
- Eradicate developer backlogs with deferred application remediation and production application protection options
- Avoid all time-consuming, cross-team orchestrations and disruptions
Development teams simply do not have the bandwidth to gain deep security expertise or manage security-related workflows while also performing the accelerated continuous integration/continuous deployment (CI/CD) that they are paid to do. As a result, instrumentation-based security unleashes developer productivity by:
- Enabling developers to manage vulnerabilities directly within the application
- Scaling security along with applications, requiring no configuration or separate testing
- Freeing developers to focus on core functions, requirements, and business growth
Implementing the new NIST 800-53 requirements for IAST and RASP technology can certainly help an organization’s compliance audits to go well. But the benefits go far beyond compliance. Developers will be empowered to work efficiently, meet aggressive timelines, and deliver secure applications in production. AppSec teams will be less overwhelmed by alert noise and freed up to focus on vulnerabilities that actually pose risk to their organization.