Securing an in-production "WebGoat PHP"

November 27, 2015

Lucent Sky AVM recently secured an application we’ll now refer to as “WebGoat PHP”. The application had over 13,000 vulnerabilities, and was originally slated for decommissioning as a result. The client estimated it would be cheaper and more efficient to rebuild the application from ground up than to remediate the volume of vulnerabilities known to be in the application.

By using the Lucent Sky AVM, a significant portion of vulnerabilities were automatically remediated, and the application was able to return online within a few weeks.

What did the application look like?

The application is a PHP application with 216,858 lines of code, spread over about a dozen of modules.

How many vulnerabilities were there?

Over 13,000. The customer came to Lucent Sky because they had failed a static test that was required for compliance. Manual remediation was time and cost prohibitive, and the site needed to go back online.

How was Lucent Sky AVM deployed?

An Lucent Sky engineer and a reseller representative went on-site with the client to assess the application. The assessment confirmed the massive number of vulnerabilities.

Road blocks

This application was exceptional for two reasons: it was in PHP, a language for which Lucent Sky AVM support was still in beta at the time, and because it had an uncommonly large number and high density of vulnerabilities. Lucent Sky AVM’’s mitigation speed decreases exponentially with the number of vulnerabilities. To reduce the time and computation power required to mitigate this application, Lucent Sky engineers developed an enhanced version of the parallel mitigation algorithm, which allowed the entire application to be analyzed and secured in under 7 hours.

Results

Lucent Sky AVM was able to mitigate 74% of the found vulnerabilities, or in this case almost 10,000 vulnerabilities. The unmitigated vulnerabilities were largely one-step vulnerabilities that are not covered by Lucent Sky AVM.

Why was it called “WebGoat PHP”?

This application had an unusually high density of vulnerabilities – about one for every 16 lines of code. WebGoat, a Java application designed to be used for testing application security products (and thus intentionally vulnerable) has only one vulnerability for every 217 lines of code. It was as if this application were purposely built to be insecure.

Was Lucent Sky AVM an effective solution?

Yes - Lucent Sky AVM mitigated enough of the vulnerabilities to bring the application back online. Manual remediation would not have allowed the organization to get the application online in a timely manner. Actually, rebuilding the site from scratch would have taken substantially less time than manual remediation.

Is it normal to use Lucent Sky AVM on an application that has already been released?

The best time to use Lucent Sky AVM is during development. Applications like this should never make it to production. Security should be a goal of application development. Using Lucent Sky AVM as part of the application’s development process would have ensured that it never was in a run time environment with over 13,000 vulnerabilities.