This topic provides answers to frequently asked questions about Application Security.

Does Application Security affect the running of an application?

The impact on running applications is almost negligible because Application Security has good control over performance, compatibility, and stability. In actual tests, the CPU overhead is less than 1%, the memory overhead is less than 30 MB, and the response time (RT) is less than 1 ms. In addition, Application Security provides features such as observation mode and soft fuse escape mechanism to minimize interference to applications.

How do I add an application to Application Security?

You can enable Application Security in the ARMS console. Then, you can restart the instance corresponding to your application. You do not need to change the application code. Application Security supports only Java applications. For more information, see Access application security.

How do I use Application Security to protect an application after the application is added?

Theoretically speaking, the attacks detected by Application Security can actually produce security threats. Compared with the traditional detection technologies that are based on traffic characteristics, Application Security has lower false positive rate. Therefore, you must pay attention to the attacks detected by Application Security. After Application Security is enabled, the protection mode is set to "Monitor" by default. After the application runs stably for a period of time, you can set the protection mode to "Monitor and Block".

Why is no attack data displayed on the Attack Statistics page?

If no attack data is displayed on the Attack Statistics page, possible causes include:
  1. The application is not connected to the application security feature. After you click Add in the console, you do not restart the instances for the application, or just restart some instances.
  2. The application uses an earlier version of Java agent. To use the application security feature, an application requires the following agent versions. For more information, see Access application security
    • In automatic upgrade scenarios, container applications and EDAS applications must use Java agents of v2.7.1.2 or later.
      Note Automatic upgrade scenarios refer to the scenarios where you can automatically upgrade agent versions by restarting applications or pods. For more information, see Update the ARMS agent for Java applications.
    • For manual upgrade scenarios, Java agents must be v2.7.1.3 or later.
  3. No real attack behavior occurs. Unlike traditional firewalls, the application security feature only records real attacks. Traditional firewalls report attacks when they detect the presence of malicious attack characteristics in packets. However, the presence of malicious characteristics does not mean real attacks. For example, attack requests that exploit PHP vulnerabilities are ineffective in the Java environment. If a real attack is detected, it means that the attacker has broken through the outer defense and can enter the internal environment of the application and perform risky actions. An application may not have a large number of real attacks. However, you must intercept attacks or fix security vulnerabilities in a timely manner when real attacks occur.

How do I handle vulnerabilities listed on the risky components page?

Vulnerabilities listed on the risky components page are common vulnerabilities. These vulnerabilities may be exploited by attackers for intrusion. Even if they cannot be exploited now, they may be exploited in the future after attackers modify application code. Typically, these vulnerabilities can be defended by the application security feature after the prevention mode of the application is changed to Monitor and Block instead of the default mode of Monitor.

We recommend that you fix these vulnerabilities in a timely manner. Log on to the ARMS console. In the left-side navigation pane, choose Application Security > Risky Component Detection. On the page that appears, find the vulnerability and click View in the Details column. On the Details tab, view relevant suggestions in the Fix Reference section. Most of these suggestions are official upgrades or fixes for risky components. You can also search for fixes by searching for the CVE IDs of vulnerabilities in the search engine.