You are here

Is RASP a must for application security?

public://pictures/John-Mello-Journalist.png
John P. Mello Jr., Freelance writer

For years, organizations have focused their cybersecurity efforts on their infrastructure. They built firewalls to block attackers from entering their systems. They monitored their networks to identify malicious traffic. As infrastructure-layer defenses were bolstered, however, attackers began to pay more attention to the application layer of their targets' systems. Protecting that layer has proved to be more problematic for system defenders.

"Ideally, companies would write secure software that wouldn't allow hackers to hack into it, but in all too many cases, developers either are unable to make sure there are no vulnerabilities in their code or they don't know what vulnerabilities are, so we constantly have vulnerabilities in software." —John Pescatore, director of emerging trends at the SANS Institute

As the vulnerability of applications became apparent, the security industry looked for solutions to the problem. So it cooked up another infrastructure solution called a web application firewall (WAF). The idea was to prevent an attacker from reaching any vulnerabilities in the software behind the WAF. That strategy is ineffective, though, if an intruder gets behind the WAF and attacks an application from inside a network.

What if, however, a technology could be devised that enabled applications to protect themselves? Such a technology could be an important component in a layered defense approach to securing an organization's systems. Such a technology exists today. It's called RASP, which stands for "runtime application self-protection."

"The ability for applications to defend themselves matters quite a bit," said Joseph Feiman, chief innovation officer at Veracode. "A great benefit of RASP is that it extends application security out to operations. It answers the question of how to defend applications."

"RASP's impact will increase even further once it integrates with an end-to-end application security platform." —Joseph Feiman, Veracode

[ Get up to speed fast on today's tools with TechBeacon's Application Security Buyer's Guide 2019 ]

Blocking and tackling with RASP

Bringing infrastructure security capabilities to the application level makes RASP an important development in cybersecurity, noted Mark Wireman, a cyber-risk-services expert at Deloitte who is focused on application security. "RASP is important because it's trying to bring the concept of blocking and tackling security-related attacks down into the application layer, which for many years has been one of those nebulous areas that both the security and development sides have been unsure how to address," he said.

"RASP shows some significant promise. However, many of the RASP technologies on the market today go after low-hanging fruit, which leaves a void in what RASP is trying to protect," he added. For example, RASP will detect attacks that exploit SQL injection or cross-site scripting—attacks that are known and understood by the security community—but it's not going to detect zero-day or more complicated attacks. "The more complicated attacks are going to be the kind that utilize encryption and other techniques to exploit a vulnerability," Wireman explained.

Nevertheless, even if RASP is limited to picking off low-hanging fruit, such as the vulnerabilities found on the OWASP Top 10, it can be a worthwhile addition to an organization's security arsenal. "It's been recognized that these common vulnerabilities are 90 percent of what attackers use," Pescatore said. "If we could stop those, we'd be way ahead of the game. Sure, hackers will think of some more, but right now it's easy pickings for them to get at these easy vulnerabilities."

"Ideally, developers would have better hygiene and not write applications with these vulnerabilities, but they do, and things like RASP are good at reaching that basic hygiene level," Pescatore added.

[ Application layer attacks are on the rise. Get key takeaways from the 2019 Application Security Risk Report in this free Sept. 25 webinar ]

Is RASP enterprise-ready?

Although RASP has been developed with the enterprise in mind, in its current state of development it can pose some challenges for an organization. For example, RASP has to be installed on all the application servers within an organization. "If you have 1,000 servers in your data center, you've got to install 1,000 copies," Pescatore said. "If you miss just one endpoint, you risk the whole system being compromised." That has been problematic in the past. "Putting software on every single host has always proven to be complicated and expensive," he explained.

Some customization of RASP may also be required. There is some tuning that's invariably involved, Pescatore said.

"If it's blocking legitimate applications from doing legitimate things, you could get an interruption of the application's proper operation."

RASP doesn't know what applications are supposed to do, he explained. "It knows what applications are generally not supposed to do."

Sometimes a developer will think of a novel way of doing something that may be similar to the way the bad guys do things, he added. In that case, RASP would have to be updated to know that that's legitimate behavior.

There's also a debate over the impact of RASP on the performance of the applications it's monitoring. "There will be some latency as the RASP agent monitors the execution of the application from within the stack," said Veracode's Feiman. "Of course it’s imperative that this impact be as minimal as possible."

Deloitte's Wireman points out that RASP's impact on application performance will vary depending on the volume of transactions the app must perform over time, but some impact is inevitable. "Some vendors are saying it doesn't impact performance at all," he said. "However, logic dictates otherwise. Whenever a process is listening to and making decisions for interrupted transactions, there will be a performance hit."

Pescatore said performance may be acceptable if an organization has the hardware resources to offset RASP's demands."Horsepower is pretty cheap these days, so performance has not been as issue." 

Playing nice with others

A key to RASP's longevity as a security solution may lie in its ability to fit into an overall security scheme. "There are currently several use cases being vetted for RASP," Feiman said. "However, the only cases that make sense today are as an additive to a more comprehensive, integrated application security program."

Wireman noted that using RASP as an additional technology with a comprehensive logging and monitoring program is very important. Typically, an organization will have a security operations center that monitors alerts from a security information and event management (SIEM) platform. Those alerts can flag potential threats and events and trigger action by the security team. "When we layer RASP on top of that, you're getting visibility at the application layer of a potential threat or something that just doesn't seem right from an application perspective that can bubble up into your threat management process," he explained.

However, RASP doesn't play well with other security programs yet. "RASP hasn't evolved to the point where the technology is ready to be integrated with technologies like Splunk or a SIEM solution," Wireman said. 

"I don't think it's ready for the enterprise because it's not ready to integrate with a more comprehensive threat management program."

One place where RASP is already showing promise is in software development, where the technology, running in diagnostic-reporting mode, can help create more secure software. "Enterprises will receive accurate, real-time information about the application's security posture and attacks that it detects without actually protecting against them," Feiman explained. "Another use case is running RASP on a test server to diagnose applications running in a pre-production mode."

Reality check for RASP

While RASP shows lots of promise, organizations need to avoid the hype that accompanies any new technology. "Unfortunately, a lot of these technologies are initially branded as a be-all-and-end-all solution for addressing application security," Wireman observed. "That's definitely not true of RASP."

Organizations should be developing a robust logging and monitoring system that focuses on application security logging, Wireman said.

"RASP can be a key component of that because RASP can be layered into the process and can be a focal point for enterprise security management technology."

Feiman, too, cautioned organizations about RASP. "RASP provides the most complete insight into an application's logic flow, data flow, database access, configuration, and distribution, but it’s not a magic bullet," he said. "The technology protects applications in real time against security vulnerabilities created by poor programming—think of it as a virtual patch—and does not replace efforts to develop secure software." 

What do you think? Have you successfully used RASP to protect your infrastructure?

Image credit: Jason Kuffer

[ Get Report: Gartner Magic Quadrant for Application Security Testing 2019 ]