WAF vs RASP
A common question for organizations that already have a WAF is “why is RASP needed if WAF can also protect against attacks like SQL injections?” If investments have already been made into web application firewalls, CIOs and security leaders might be wondering what RASP’s added value is. Conversely, for those without a WAF already in place, would a WAF still be useful if a RASP can do the job better?
What can RASPs and WAFs both do?
WAFs and RASPs both share a goal of monitoring and protecting production web applications. They both monitor the traffic coming into the application (albeit at different points), and defend against malicious attacks. WAFs monitor traffic at the HTTP layer and use patterns to look for suspicious payloads, while RASPs monitor the execution of the request at runtime to look for exploitation attempts. This means that the context and visibility that they have are different.
How do they operate?
WAFs sit on the perimeter of an application and operate by pattern matching incoming traffic against a ruleset of malicious activity. In essence, they sit on the edge, and check to make sure that requests don’t look like known malicious activity.
RASPs, on the other hand, are integrated within the application. They pull data from application runtime, specifically what the application is seeing. Most importantly, RASPs don’t leverage pattern matching; instead they catch internal function calls to gather request parameters, and act on those signals.
When a function call is made to the application with harmful parameters, RASPs intercept it and log or block it, depending on the configuration (diagnostic mode vs. self-protection mode). As such, RASPs operate based on the context of the application, rather than based on rulesets.
What edge do RASPs have over WAFs?
The visibility that a Web Application Firewall has into the traffic depends on how actively upkept it is. WAFs run into visibility limits because they are positioned on the network, and as such do not have knowledge of the context of the applications. Since a WAF operates on a database of patterns, if the attacker were to change their approach to no longer fit the patterns, a WAF wouldn’t be able to detect it. What’s more, the rules set needs to be updated every time the application or attack patterns evolve.
Furthermore, as the perimeter of applications have become more porous with the prevalence of cloud and mobile services, WAFs, like perimeter firewalls, cannot see what is going on inside the perimeter. This makes WAFs better suited for broad view alerting rather than for protection, as they can tell you what attackers are attempting to do, although not so much what attacks are actually successful.
RASP tools, on the other hand, have more in-depth visibility into the application as they stand closer to the code. They have insight into the application logic, underlying code libraries, configuration and data flows. This makes RASP alerts more accurate with some products boasting zero false positives. In addition, RASP does not need the learning period that WAFs need or human intervention, which means it is always ready when it comes to thwarting zero-days attacks, whereas WAFs would need its ruleset to be modified, and that is if the attack is noticed to begin with. RASP tools do not fix the source code either but some are able to virtually patch vulnerabilities, giving developers some time to prioritize which code fixes to deploy first.
Where can WAFs help?
WAFs and RASPs have different strengths. The main benefit for WAFs is for network-level attacks, such as DDoS. As such attacks are not attempting to exploit application-level vulnerabilities, RASPs are not well suited for handling these.
Additionally, WAFs can help bring high-level visibility into what attackers are attempting from the outside, despite not being able to tell you which attacks are successful. Uncovering unusual requests and behavior in large volumes of traffic data is of value for security teams, and something that WAFs can do well.
Where can RASPs help?
RASPs’ strength lies in protection. A well-implemented RASP will prevent an attacker from exploiting vulnerabilities in your application with no to minimal false positives. RASPs also deliver accuracy. If an attacker’s parameter affects the query, a RASP will catch it, while if it doesn’t, it won’t. This means a huge reduction in false positives and false negatives.
So which tool should you use?
The choice comes down to the particulars of your needs and situation, but generally speaking, it’s ideal to use both a RASP and a WAF, or an Application Security Management platform that can offer both. The tools are complementary: WAFs deliver traffic insights and network-specific protection, while RASPs deliver deep visibility and application-level protection. However, if you can only use one, due to costs or other resource limitations, then generally it’s better to go with a RASP, as protecting your application is usually more important than traffic pattern visibility.