The National Institute of Standards and Technology (NIST) published a new edition of the Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53. This post will provide an overview of the document and highlight the application security aspects of it, in particular those concerning the IAST and RASP requirements that are part of this version.
What is the NIST 800-53
The NIST 800-53 publication provides a collection of high-quality security guidelines to organizations looking to strengthen their position against cyber attacks. In their own words:
“[…] a comprehensive set of safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud-based systems, mobile devices, Internet of Things (IoT) devices, weapons systems, space systems, communications systems, environmental control systems, supercomputers, and industrial control systems.”
The current version of the document is Revision 5 and it was made available on September 23, 2020. This BORNSECURE blog post will focus on the application security aspects of the NIST 800-53 document and provide some actionable advice for teams considering adopting two of the new recommendations it proposes: the adoption of IAST vulnerability assessment, and RASP runtime application protection against attacks.
NIST 800-53 compliance
The NIST 800-53 publication is important because many organizations follow its recommendations when it comes to designing the security architecture not only for practical reasons but also for compliance reasons.
In fact, organizations under the federal government umbrella must follow these directives, which means that the NIST guidelines steer the cybersecurity industry as a whole, including security vendors and private companies of all sizes and scopes.
The guidelines provide requirements, but no vendor recommendations nor specific tool endorsements.
The NIST 800-53 recommends IAST and RASP
The NIST 800-53 has specific recommendations for teams that develop and maintain applications. Two of the most relevant sets of controls from a software development point of view are the Development Testing and Evaluation section (SA-11) and the Software, Firmware, and information Integrity section (SI-7).
The published guidelines also include requirements on tooling, and it specifically recommends teams to adopt IAST and RASP:
NIST 800-53 SA-11 Interactive Application Security Testing (p. 279)
Regarding Development Testing and Evaluation, some of the recommendations are quite general such as the need to an independent verification of the assessment plans (SA-11 requisite 1), and the need to verify that the scope of the testing is correct and adequate (SA-11 requisite 7). Other requirements concern the design processes, such as the recommendation to perform attack surface analysis (SA-11 requisite 6) and thread modeling (SA-11 requisite 2).
The requirement 9 or the section SA-11, the NIST recommends IAST vulnerability assessment:
“Interactive (also known as instrumentation-based) application security testing is a method of detecting vulnerabilities by observing applications as they run during testing. The use of instrumentation relies on direct measurements of the actual running applications and uses access to the code, user interaction, libraries, frameworks, backend connections, and configurations to directly measure control effectiveness. When combined with analysis techniques, interactive application security testing can identify a broad range of potential vulnerabilities and confirm control effectiveness. Instrumentation-based testing works in real time and can be used continuously throughout the system development life cycle.”
NIST 800-53 SI-7 Runtime Application Self-Protection (p. 348)
The Software, Firmware, and Information Integrity set of requirements, on the other hand, concerns aspects related to the protection and stability of systems. It includes requirements to monitor and block malicious activity, such as code signing to ensure that the applications are not modified.
Section SI-7, Software, Firmware, and Information integrity includes a requirement to adopt Runtime Application Self Protection (RASP):
“Runtime application self-protection employs runtime instrumentation to detect and block the exploitation of software vulnerabilities by taking advantage of information from the software in execution. Runtime exploit prevention differs from traditional perimeter-based protection such as guards and firewalls which can only detect and block attacks by using network information without contextual awareness. Runtime application self-protection technology can reduce the susceptibility of software to attacks by monitoring its inputs and blocking those inputs that could allow attacks. It can also help protect the runtime environment from unwanted changes and tampering. When a threat is detected, runtime application self-protection technology can prevent exploitation and take other actions (e.g. sending a warning message to the user, terminate the user’s session, terminating the application, or sending an alert to organizational personnel). Runtime application self-protection solutions can be deployed in either a monitor or protection mode.”
What are the benefits of IAST and RASP?
IAST is a modern security bug detection technology that brings many benefits to teams over the legacy AST tools such as SAST static analysis and DAST dynamic scanners:
- Higher accuracy and more categories of vulnerabilities
- Continuous detection
- Ability to work through the entire SDLC
- Real-time results
The RASP application protection approach makes the apps protect themselves, by replacing legacy perimetral WAF approach with protection-from-the-inside. Some of the benefits of the RASP approach are:
- Broad protection from more types of attacks
- No false positives and no learning required
- Cloud-friendly approach and no perimeter
- DevOps approach, as protection becomes code
How Hdiv helps you comply with the NIST 800-53
IAST and RASP constitute the most modern approach to application security testing and protection, AND the NIST recommendation validates its stability and production-ready characteristics, especially when security is paramount.
In other words, the inclusion in the NIST 800-53 set of requirements means that IAST and RASP technologies are now mainstream.
Hdiv Detection (IAST) is a passive IAST that scores 100% in the OWASP Benchmark and has been adopted by a broad range of organizations to conduct vulnerability assessments.
Hdiv Protection (RASP) provides agile protection and monitoring of many types of risks, including design flaws such as broken authentication and parameter tampering.
If your team is looking for help adopting the IAST and RASP technologies required by the NIST, drop us a note at contact at hdivsecurity dot com.