RASP in Security
Runtime Application Self-Protection is a modern technology in application security that protects web applications from attacks during runtime (i.e., when the application is in use).
Built into an application or its runtime environment (like a web server the application is hosted on), this technology can control application execution, detecting vulnerabilities, and preventing real-time attacks. Its use/purpose is to prevent malicious actors from compromising applications and APIs by abusing coding vulnerabilities such as Insecure Deserialization, SQL Injection, XSS, etc.
How it works?
RASP is integrated as a module/framework that runs in conjunction with a program’s codes, libraries, and system calls, that monitors the incoming traffic to the server and APIs of the application. RASP takes control of the app and addresses the problem, in case of a security event.
It applies runtime protection measures and secures the application from malpractices, upon detecting any threat vectors. All requests are examined through the RASP layer sitting between the application and the server, without impacting the application’s performance.
Importance of RASP
Technologies like Intrusion prevention system (IPS) and web application firewall (WAF) are often used for application protection during the time of its use, but they work in-line as they inspect network traffic and content, but they cannot see how traffic and data are being processed within applications and they are typically used for alerts and log collection only.
By deploying RASP, vulnerabilities within an application can be identified by the application team. Additionally, it can block attempts to exploit existing vulnerabilities in deployed applications.
There are two ways of deploying a RASP solution, based on the requirement: monitoring/diagnostic mode and protection/block mode.
In monitoring/diagnostic mode, the RASP tool will just report that something is amiss and does not perform any other action.
In protection/block mode, it will try to stop the execution along with reporting the issue identified by it. For example, it could stop the execution of instructions to a database that appear to be a SQL injection attack.
Other actions RASP could take, includes terminating a user’s session, stopping an application’s execution, or alerting the user or security personnel about an attempt of an attack.
This image shows the placement of RASP solution in an application
WAF vs RASP
WAF is an application firewall that protects the application from being placed in front of the application itself. It inspects the incoming traffic for any malicious/ suspicious payload. It can block suspicious IP addresses based on the rules set. It is not aware of the true weaknesses of the application, so it must validate all input points before it reaches the application. Similarly, a WAF is unable to see the consequences of a payload.
RASP is a technology that works from within the application unlike WAF, IPS, and so on. It moves seamlessly with the application, whether in the cloud or on-premises, as the application scales up or down. The RASP application is faster and more accurate. RASP technology offers various detection techniques like sandboxing, semantic analysis, input tracing, and behavioral analysis to go along with signatures.
1. Staying true to the proverb “Prevention is better than cure,” RASP, at its core, monitors the application closely for any suspicious/ dangerous behavior.
2. RASP delivers lower CapEx and OpEx:
3. RASP accuracy means more protected applications.
4. It dramatically reduces false positives.
5. RASP technology is great at providing visibility into application layer attacks.
6. Adaptability to new standards.
Top Vendors offering RASP
Top Application Security vendors that also provide RASP product are listed below.
About the Author –
Jaishree is an application security specialist and part of DevSecOps vertical in GAVS Security CoE supporting critical customer engagement. Her core interest is in Cloud application security.
Back to blogs