Business overview & challenge

AARP was founded in 1958 to improve the quality of life of people over 50. AARP offers millions of members products, services, and resources that empower them to live active, healthy, and secure lives as they age. Many of the services that AARP offers it’s 50-plus constituents are delivered using personally identifiable information (PII). To protect the data of AARP members, volunteers and employees, AARP has developed a mature security-in-depth cyber defense program.

Solution evaluation

AARP approached Prevoty, the application security solution provider that is now part of Imperva, in search of a runtime application self-protection (RASP) solution that could protect the organization’s applications from attacks in its production environments. Analyst reports and customer feedback identifying Prevoty Autonomous Application Protection (RASP) as the most mature and technologically superior RASP solution persuaded AARP’s application security engineers to select RASP for evaluation. AARP proceeded with a proof-of-value (POV) process intended to measure RASP against the company’s particular criteria:

1. Scalability

At the time of the POV, AARP had identified 31 Java applications that it initially wanted to implement a RASP solution into. But the security team was also mindful that there was talk of transitioning over to a new architecture based on microservices
in the future. The RASP solution they would select would need to be nimble enough to accommodate major application architectural changes.

RASP is portable and works in any type of deployment architecture including on-premise, cloud, containers and microservices.

2. Permanent patching & visibility

AARP has a mature security program that includes vulnerability management, incident detection and response, network defense, and more. The team wanted to ensure that the RASP solution they selected would complement what the company already had in place, and maximize the value of its existing security stack.

RASP fills the security gaps in security stacks that leave applications vulnerable to attack at runtime. While tools such as static analysis security testing (SAST), dynamic application security testing (DAST), and web application firewalls (WAF) can improve security, RASP adds a layer that understands how attacks will execute within the context of a given environment and neutralizes known and zero-day attacks at runtime. The real-time attack and activity data logs RASP generates are pushed into a SIEM or other analytics platform an organization already has in place, providing an entirely new level of visibility into application security and more comprehensive insights into an organization’s overall security posture.

3. Broad integration capabilities

Not only are AARP’s security programs robust, but they are also highly automated for rapid development and deployment optimization. The RASP solution it would purchase had to integrate with its existing environment and automated workflows. RASP plugins deploy quickly and live quietly within application containers. Because Prevoty can be deployed at any point in the lifecycle of a new or legacy application—during deployment or after the app is in production—its impact on automated workflows is unobtrusive, allowing business to go on as usual.

Saffet Ozdemir, VP of Information Security, explains that AARP selected RASP because: “We believe that innovation and being one-step-ahead are critical tenets to operating a modern information security program that is aligned with the evolving threat landscape. Consequently, one of our main goals is to have our offense inform our defense. AARP is always looking beyond conventional information security controls and the rapid implementation of RASP enabled us to instill confidence that we are exceptional stewards in protecting member data.”

Runtime application self-protection deployment & results

After a successful POV, AARP adopted RASP along with an implementation process that seamlessly integrates Prevoty into its existing application deployment process. AARP utilizes an open source application deployment automation platform to facilitate this process. With the press of a button, the RASP autonomous plugin is automatically integrated into an application, then pushed into production. No development effort is required to instrument the applications with the RASP plugin. AARP configured three RASP modes within its deployment process:

• Disabled is utilized when RASP is implemented into an application for the first time. AARP deploys RASP in disabled mode to ensure that the plugin works harmoniously with the application and does not introduce unexpected behaviors. Once this is verified, AARP configures the plugin to monitor mode.

• Monitor is utilized to verify that RASP is accurately and precisely detecting attacks without introducing false positives. Once verified, AARP configures the plugin to protect mode.

• Protect mode gives RASP the authorization to block, sanitize, and neutralize attacks in production in real time.

Results

With RASP, AARP is able to push its applications to production faster, at scale, and with security onboard. The most immediate value RASP delivered to AARP was its impact on vulnerability management service level agreements (SLAs). Because RASP offers immediate, permanent protection, AARP’s backlog of vulnerabilities has become immediately less critical.

With every vulnerability in their remediation workflow downgraded, development teams now have more time fix vulnerabilities on their own schedule and more time to develop features that solve problems, deliver services to customers, and drive business. AARP is also benefiting from RASP’s unprecedented visibility into application attacks, events, and risks. Its new context-enriched perspective from inside their applications is fed into a SIEM to deliver better, smarter, actionable intelligence.

“AARP is deeply committed to protecting member’s data by meeting and exceeding the conventional standards of privacy,” says Saffet Ozdemir, AARP VP of information security.