Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Is it time to take RASP seriously?

Rob Lemos Writer and analyst

For more than two decades, security practitioners have looked for ways to bolt security onto applications. Most of the time, progress has been measured in baby steps.

DEC released the first application-aware firewalls in 1991. Later that decade, security expert Crispin Cowan released AppArmor, a host-based protection mechanism for applications, and StackGuard, protections built into software by the compiler, as part of the Immunix Linux distribution to lock down applications. Variations on the theme followed, from Microsoft's GS flag to web application firewalls (WAFs) to application wrapping and containerization. 

The name of the latest incarnation—"runtime application self-protection," or RASP—was coined by Gartner in 2012 to describe technology that provides security checks during runtime. The collection of technologies falling under the RASP umbrella have garnered attention because of the increasing importance of connected applications and focus on software vulnerabilities in recent years. Gartner estimates that only 1 percent of web applications today are using a form of RASP technology.

While the name has changed, the intent has not, said Aaron Lint, director of research for Arxan Technologies, an application-protection technology firm. "RASP is just the newest name for what we have been doing for a very long time," he said.

With nascent technologies, however, come doubts. This article will explore the basis for that doubt and present the ways that RASP, as the newcomer on the application security scene, can add real value to a business's security portfolio.

What are RASP detractors saying?

Some experts have questioned whether using libraries and agents to add security to applications will improve security or ultimately undermine it. In a late-2014 article, Gary McGraw, chief technology officer for software-security firm Cigital, questioned whether the technology can solve enough problems and scale to cover enough applications to meaningfully impact security. "The time has come for tools and services that sweep an entire portfolio leaving no stone unturned in the hunt for basic defects," he wrote.

Part of the problem, however, is that the term "RASP" covers a fairly broad range of technologies that use an agent, module, or library to insert themselves into an application's runtime execution. Prevoty, for example, has many characteristics of a WAF but runs in or alongside the application, making it a RASP technology.

"There are a lot of different ways to do the instrumentation," said Kunal Anand, co-founder and chief technology officer of Prevoty.

RASP technologies run the gamut. Java typically requires an agent. PHP, Ruby on Rails, and other scripting languages can be modified with modules. Code for instrumenting .NET can be injected into the CLR.

Yet another security layer—and that's a good thing

Yet, as part of a well-balanced approach to security, RASP certainly seems to have a place. Even its detractors have noted that it has strengths in catching vulnerabilities such as cross-site scripting and SQL injection in web applications. Proponents of the technology point to several advantages that RASP offers companies. 

Security professionals often point out that there is no silver bullet for security problems. Instead, companies build interlocking layers of security. Within that defense-in-depth framework, RASP works well, especially for certain classes of vulnerabilities: Database injection vulnerabilities, for example, are readily apparent at the application level.

Yet the technology will not replace the network-based combination of content distribution networks and WAFs that have arisen in the past half decade or so. Network-based WAFs are typically effective against denial-of-service attacks and any exploit that is readily apparent from a URL, such as directory traversal.

"There is a huge opportunity for RASP to work with perimeter-based solutions," said Arpit Joshipura, vice president of product and marketing at Prevoty. "We are not saying that a WAF is bad. A WAF is where you want to solve things, like denial of service. You want to handle that at the network level, not inside the application." 

Quick fixes

The traditional secure development lifecycle (SDLC) is a relatively slow process at most companies, with testing adding steps. As companies move toward agile development and DevOps, they have less tolerance.

RASP technologies are also a quicker way to virtually patch known vulnerabilities or filter for non-expected input or behavior, and RASP fits much better with fast development cycles. The founders of Signal Sciences, another WAF-meets-RASP service, came from Etsy, a business platform for professional artisans, well known for its DevOps mindset. The company is all about creating security that does not get in the way of business, said Zane Lackey, founder and chief security officer of Signal Sciences.

"Being able to get data on which of your applications is being attacked and how they are attacked, that helps, in terms of the SDLC, to prioritize your time," Lackey said. "It's a shift toward a notion of attack-driven defense."

Software security firm Cigital agrees that the ability to protect applications against known issues and attacks can provide a net positive for companies.

"Not all software is built in-house; not all software has an available and ready development team with a lot of bandwidth on their hands to fix problems as they come up; and the threats are always changing," said John Steven, internal chief technology officer at Cigital. "So there is value to the RASP approach of wrapping the application and being able to provide some filtering of attacks that come out."

More fidelity

Running inside the application also gives companies better information on what is happening during an attack. The ability to roll out a fix quickly across infrastructure, or prevent an attack by limiting the types of inputs to an application, is very strategic. Getting application developers the information they need to fix a vulnerability is a tactical benefit, Signal Sciences' Lackey said. 

"The tactical visibility piece is about getting the application teams themselves access to the information about where their particular feature is being attacked right now, so they can self-serve and figure out how to fix the issue," he said. 

The remaining question: Performance

The biggest questions still revolve around performance. Installing the protection into the application—or using an agent, hooking into the application through the operating system—can cause performance problems. Pattern matching, for example, recognizes known attacks but misses novel or obfuscated attacks and may not scale well to cover a large number of vulnerabilities. Anomaly detection can be tricky; tuning a system to catch as many attacks as possible, without the false alerts, is a hard balance to reach.

Companies are finding paths to performance, however. Prevoty, for example, argues that its implementation of LANGSEC, a whitelisting approach to defining what types of inputs are valid, is fast. "Our goal is to stop production attacks," Prevoty's Anand said.

Some critics have argued that RASP does not scale well enough to aid enterprises. Cigitial's Steven argued that it depends on the problem that a company has to solve. For businesses that buy most of their software and may retain a large volume of legacy software, RASP can be extremely beneficial, he said.

"Is a RASP product going to work better than a firewall at protecting those applications?" he asked. "Is that a scalable strategy compared to having developers go back and use analysis tools to find vulnerabilities and fix the code? Absolutely, it should be."

What are your opinions on RASP?

Keep learning

Read more articles about: SecurityInformation Security