Abstract: Techniques are disclosed for deploying, by a packet processing system in a cloud computing environment, microservice instances in the cloud computing environment comprising a plurality of computing devices executing a plurality of Kubernetes clusters comprising one or more containers. The packet processing system is configured to selectively steer data traffic between multiple versions of microservice instances executing in the cloud computing environment.

Abstract: Techniques are disclosed for providing method for providing an event timer for event synchronization across Kubernetes clusters. The event timer is configured to provide event synchronization on behalf of microservice instances in the cloud computing environment. In response to a request for an event timer for a timed event, it is determined whether the requested event timer has been started for a second microservice instance. If the requested event timer has been started, a state of the requested event timer is sent to the first microservice instance If the requested event timer has not been started, the requested event timer is instantiated, and a state of the instantiated event timer is stored in a database. The instantiated event timer is independent of the first and second microservice instances. In response to an expiration of the event timer, a single callback for processing of the event is generated.

Abstract: A method for handing of injection attacks in requests for computer services is disclosed. The method includes receiving request data that represents a service to be provided by a server computer, parsing a data element from the request data wherein the data element includes a data key and a data value, determining whether the data key is one of one or more predetermined allowed data keys, and upon a condition in which the data key is not one of the predetermined allowed data keys, disabling any injection attacks in the request data before processing the request data by performing the service.

Abstract: Systems and methods for analyzing SQL queries for constraint violations for injection attacks. Tokenizing a SQL query generates a token stream. A parse tree is constructed by iterating over lexical nodes of the token stream. The parse tree is compared to a SQL schema and access configuration for a database in order to analyze the SQL query for constraint violations. Evaluation flaws are also detected. A step-wise, bottom-up approach is employed to walk through the parse tree to detect types and to ascertain from those types whether the condition for SQL execution is static or dynamic. SQL request security engine logic refers to predetermined protective action data and takes the particular type of action specified by the predetermined protective action data. Security is further enhanced by limiting service of requests to requests of one or more specific, accepted data types. Each request is parsed into individual data elements, each an associated key-value pair.

Abstract: A runtime application self protection (RASP) plug-in logic monitors for, and prevents, outbound network connections that are initiated by server application logic and that are not intended by the application logic. The RASP plug-in has access to information generally available only to the application logic and identifies specific vulnerabilities within the application logic that can be patched. The vulnerabilities are identified by (i) data identifying the portion(s) of the application logic that is the source of the vulnerability and (ii) data identifying the authenticated user, if any, that is the source of the attack. The RASP plug-in catches and identifies specific attacks on the application logic in real-world, production operation.

Abstract: A method by one or more computing devices for detecting application user anomalies in audit logs of database operations performed on one or more databases. The method includes obtaining a first audit log of database operations, wherein the first audit log indicates (1) which application users of an application caused which of the database operations to be performed and (2) which functions of the application caused which of the database operations to be performed, generating, for each of the application users indicated in the first audit log, a profile of that application user that indicates which of the functions that application user is expected to touch, and detecting an anomaly in response to a determination that a second audit log indicates that an application user touched a function that is not one of the functions indicated in the profile of the application user.

Abstract: Techniques are disclosed for deploying, by a packet processing system in a cloud computing environment, microservice instances in the cloud computing environment comprising a plurality of computing devices executing a plurality of Kubernetes clusters comprising one or more containers. The packet processing system is configured to selectively steer data traffic between multiple versions of microservice instances executing in the cloud computing environment.

Abstract: Techniques are disclosed for providing method for providing an event timer for event synchronization across Kubernetes clusters. The event timer is configured to provide event synchronization on behalf of microservice instances in the cloud computing environment. In response to a request for an event timer for a timed event, it is determined whether the requested event timer has been started for a second microservice instance. If the requested event timer has been started, a state of the requested event timer is sent to the first microservice instance If the requested event timer has not been started, the requested event timer is instantiated, and a state of the instantiated event timer is stored in a database. The instantiated event timer is independent of the first and second microservice instances. In response to an expiration of the event timer, a single callback for processing of the event is generated.

Abstract: A method by one or more runtime agents protecting a web application for capturing contextual information for data accesses. The method includes determining first metadata associated with a web application layer request sent by a web application firewall to the web application, determining second metadata associated with the web application layer request based on information available to the web application, serializing the first metadata and the second metadata to generate serialized metadata, and adding the serialized metadata to a database query that is to be submitted by the web application to the database server, wherein execution of the database query that includes the serialized metadata by the database server is to cause the database activity monitor to store the serialized metadata and third metadata associated with the database query determined by the database activity monitor in a data storage.

Abstract: A runtime application self protection (RASP) plug-in monitors for, and prevents, invocation of unacceptably weak cryptographic processing requested by an application. Since the RASP plug-in is linked to the application, the RASP plug-in has access to information regarding an execution state of the application logic, including interaction with shared libraries, to determine what component of the application requests use of unacceptable cryptographic techniques. Such enables owners/operators of an application to easily detect requests for unacceptable cryptographic techniques, even if such requests originate in a portion of the application that is not under the control of the owners/operators.

Abstract: Systems and methods for analyzing SQL queries for constraint violations for injection attacks. Tokenizing a SQL query generates a token stream. A parse tree is constructed by iterating over lexical nodes of the token stream. The parse tree is compared to a SQL schema and access configuration for a database in order to analyze the SQL query for constraint violations. Evaluation flaws are also detected. A step-wise, bottom-up approach is employed to walk through the parse tree to detect types and to ascertain from those types whether the condition for SQL execution is static or dynamic. SQL request security engine logic refers to predetermined protective action data and takes the particular type of action specified by the predetermined protective action data. Security is further enhanced by limiting service of requests to requests of one or more specific, accepted data types. Each request is parsed into individual data elements, each an associated key-value pair.

Abstract: A method by one or more computing devices for detecting application user anomalies in audit logs of database operations performed on one or more databases. The method includes obtaining a first audit log of database operations, wherein the first audit log indicates (1) which application users of an application caused which of the database operations to be performed and (2) which functions of the application caused which of the database operations to be performed, generating, for each of the application users indicated in the first audit log, a profile of that application user that indicates which of the functions that application user is expected to touch, and detecting an anomaly in response to a determination that a second audit log indicates that an application user touched a function that is not one of the functions indicated in the profile of the application user.

Abstract: Systems and methods for analyzing SQL queries for constraint violations for injection attacks. Tokenizing a SQL query generates a token stream. A parse tree is constructed by iterating over lexical nodes of the token stream. The parse tree is compared to a SQL schema and access configuration for a database in order to analyze the SQL query for constraint violations. Evaluation flaws are also detected. A step-wise, bottom-up approach is employed to walk through the parse tree to detect types and to ascertain from those types whether the condition for SQL execution is static or dynamic. SQL request security engine logic refers to predetermined protective action data and takes the particular type of action specified by the predetermined protective action data. Security is further enhanced by limiting service of requests to requests of one or more specific, accepted data types. Each request is parsed into individual data elements, each an associated key-value pair.

Abstract: A method by one or more runtime agents protecting a web application for capturing contextual information for data accesses. The method includes determining first metadata associated with a web application layer request sent by a web application firewall to the web application, determining second metadata associated with the web application layer request based on information available to the web application, serializing the first metadata and the second metadata to generate serialized metadata, and adding the serialized metadata to a database query that is to be submitted by the web application to the database server, wherein execution of the database query that includes the serialized metadata by the database server is to cause the database activity monitor to store the serialized metadata and third metadata associated with the database query determined by the database activity monitor in a data storage.

Abstract: A method for detecting anomalies in audit logs of database operations performed on databases. The method includes obtaining a first audit log of database operations performed on one or more databases, generating, for each of a plurality of attribute values associated with a designated attribute appearing in the first audit log, a profile of that attribute value that indicates expected attribute characteristics of one or more attributes when that attribute value is associated with the designated attribute, obtaining a second audit log of further database operations performed on the one or more databases, and detecting an anomaly responsive to a determination that a log entry in the second audit log includes an attribute value associated with the designated attribute but attributes in the log entry deviate from the expected attribute characteristics of the one or more attributes indicated by the profile of the attribute value associated with the designated attribute.

Abstract: A runtime application self protection (RASP) plug-in monitors for, and prevents, invocation of unacceptably weak cryptographic processing requested by an application. Since the RASP plug-in is linked to the application, the RASP plug-in has access to information regarding an execution state of the application logic, including interaction with shared libraries, to determine what component of the application requests use of unacceptable cryptographic techniques. Such enables owners/operators of an application to easily detect requests for unacceptable cryptographic techniques, even if such requests originate in a portion of the application that is not under the control of the owners/operators.

Abstract: A runtime application self protection (RASP) plug-in logic monitors for, and prevents, outbound network connections that are initiated by server application logic and that are not intended by the application logic. The RASP plug-in has access to information generally available only to the application logic and identifies specific vulnerabilities within the application logic that can be patched. The vulnerabilities are identified by (i) data identifying the portion(s) of the application logic that is the source of the vulnerability and (ii) data identifying the authenticated user, if any, that is the source of the attack. The RASP plug-in catches and identifies specific attacks on the application logic in real-world, production operation.

Abstract: Systems and methods for analyzing SQL queries for constraint violations for injection attacks. Tokenizing a SQL query generates a token stream. A parse tree is constructed by iterating over lexical nodes of the token stream. The parse tree is compared to a SQL schema and access configuration for a database in order to analyze the SQL query for constraint violations. Evaluation flaws are also detected. A step-wise, bottom-up approach is employed to walk through the parse tree to detect types and to ascertain from those types whether the condition for SQL execution is static or dynamic. SQL request security engine logic refers to predetermined protective action data and takes the particular type of action specified by the predetermined protective action data. Security is further enhanced by limiting service of requests to requests of one or more specific, accepted data types. Each request is parsed into individual data elements, each an associated key-value pair.

Abstract: Methods and apparatuses for detecting an evaluation flaw in a SQL query, the SQL query configured to access data in a database table are disclosed. The method includes creating a parse tree from the SQL query and evaluating the parse tree to ascertain whether a condition of the SQL query results in a type or value that is independent of contents of the database table. For type evaluation, if, responsive to the evaluating, the condition is found, designating the SQL query at risk for having the tautology in the SQL query. For value evaluation, if, responsive to the evaluating, the condition is found, determining whether the condition is always true or whether the condition is always false; and if, responsive to the determining, the condition is found to be always true or always false, designating the SQL query at risk for having the evaluation flaw in the SQL query.

Abstract: Methods and apparatuses for detecting an evaluation flaw in a SQL query, the SQL query configured to access data in a database table are disclosed. The method includes creating a parse tree from the SQL query and evaluating the parse tree to ascertain whether a condition of the SQL query results in a type or value that is independent of contents of the database table. For type evaluation, if, responsive to the evaluating, the condition is found, designating the SQL query at risk for having the tautology in the SQL query. For value evaluation, if, responsive to the evaluating, the condition is found, determining whether the condition is always true or whether the condition is always false; and if, responsive to the determining, the condition is found to be always true or always false, designating the SQL query at risk for having the evaluation flaw in the SQL query.