What is RASP?
Looking for a security component that will protect your application from the inside? RASP is one of the latest additions to the web application security acronyms. It stands for Runtime Application Self-Protection and according to Gartner, it is “a security technology that is built on or linked into an application runtime environment, and is capable of controlling application execution, and detecting and preventing real-time attacks.”
How do RASP solutions work?
Like web application firewalls (WAFs), RASP security tools defend a web application against attacks in production. But RASP solutions have the advantage of not needing to rely on preset patterns or signatures. RASP solutions sit inside the application and work within the application at run-time, without requiring code modifications. They have access to the full application context, down to the vulnerable code. RASP determines if an attack is actually triggering a code vulnerability by monitoring the behavior of the application in real-time rather than matching against a set of patterns like a WAF. This means RASP solutions can alert you on what is actually an attack triggering a vulnerability, rather than only on what looks like an attack. As such, RASP solutions have an excellent signal-to-noise ratio and can make false positives negligible.
Sitting inside the application provides deep security insights and more accurate protections than what WAFs can do from the edge. RASP works with application agents that automatically adapt to the application and go beyond the HTTP layer. There’s no need to build a machine learning training model or maintain rulesets.
They operate in two pre-programmed modes:
- Self-protection mode: they stop the execution of requests at run-time for attacks that trigger actual vulnerabilities in the code.
- Monitoring mode: it works like the self-protection mode but instead of raising an exception to block the attack, monitoring mode will only report the vulnerabilities details to a dashboard.
True RASP tools don’t work with lists of patterns of known attacks. They are able to analyze both the application’s behavior as well as its context because they integrate with the application at the application runtime. Thus, they can distinguish normal instructions or requests from malicious ones. The context they get from their position within an application allows them to detect attacks more accurately, removing false positives and reporting or blocking only real threats. When a RASP solution detects an attack, it can provide a full stack trace to developers to pinpoint the exact line of code that is vulnerable. This enables developers to easily remediate vulnerabilities.
The best RASP tools use dynamic instrumentation technologies that are dependent on the specifics of the backend technologies. Languages coverage is key when choosing a RASP. Make sure the RASP tool you’re considering supports all of the languages your application is written in and that you plan to use.
Implementing most RASP tools only takes a few minutes. Simply add another dependency (Gem for Ruby, Jar for Java, etc.) into your app and you’re all set. Adding or removing a RASP solution is just a matter of adding or removing a code snippet.
Why did RASPs come about?
RASPs arose in response to the changing realities of securing applications. Security testing wasn’t able to scale to keep up with the speed of modern day application development cycles. The testing process for SAST and DAST tools take too long and dump too much information, slowing down developers too much for fast-moving companies to handle. Additionally, since you can’t find and fix every vulnerability pre-production, additional layers or protection were needed.
WAFs filled this production protection role for many years, but are only really ideal for low hanging fruit these days. Working off rulesets and pattern matching creates too many false positives and too much maintenance work for modern organizations. WAFs inability to catch 0-day vulnerabilities is a major gap as well.
RASPs were developed to provide an additional layer of application protection – one that sits within the application to overcome the limitations of WAFs and stop attacks at the source.
What are RASPs advantages?
RASP tools have function-level code visibility into the application with insight into the application logic, underlying code libraries, configuration, and data event flows, which means they can distinguish between real attacks and legitimate requests with high accuracy, allowing security teams to spend more time on real threats. They don’t rely on bases of malicious patterns or signatures, and don’t need constant maintenance. As a result, the total cost of ownership of a RASP solution is significantly lower than other protection and monitoring tools like a WAF.
RASP tools can protect the system even after the attacker has penetrated perimeter defenses, such as WAFs, and are able to self-protect the data. Since WAFs are rule-based, they can be bypassed and only protect against attacks for which they have preset rules. They way RASPs solutions are implemented allows them to have no false positives and limited false negatives.
Security teams can make use of RASP’s deep analysis abilities to understand vulnerabilities and attack vectors so that they can adjust the policies, tighten the controls, and put other mitigation efforts in place. Furthermore, RASP provides actionable remediation information about where a vulnerability resides in the code (stack traces) to speed up remediation cycles. Capitalizing on this data can help train developers on secure coding, report defects to third-party vendors, and evaluate a vendor’s code quality.
RASP tools can also be used for applications that cannot benefit from sufficient security testing, such as older applications which are no longer covered by active development processes, applications whose code was developed by third parties, or applications that would be too costly to fix. Since they adapt to the specifics of the application’s environment, RASP tools can work with a wider range of applications than other tools.
What are RASP’s limits?
RASP tools, like WAFs, might appear like circling the wagons and defending attacks rather than fixing the vulnerabilities that lie within the code. Also, RASPs cannot protect against all types of vulnerabilities by themselves. For a comprehensive application security strategy, they are to be used jointly with other security tools and layers, like an In-App WAF, an IAST, or a CDN to cover DDoS attacks. A holistic application security program with an Application Security Management (ASM) platform offers the ability to identify vulnerabilities inside the application but also monitor and protect production apps.
As RASP solutions sit inside the application they can also induce a slight performance impact. The degree of impact is generally minimal, but depends on the design of the specific RASP tool.
RASP solutions are also technologically dependent and need to be compatible with the stack. If the RASP tool of interest doesn’t support your application’s language, it will be useless. This means that the degree of coverage for a RASP tool matters more than for other security tools.