What is Runtime Application Self-Protection (RASP)?

Applications have become a ripe target for Web marauders looking to penetrate the enterprise. There's a good reason for that. Black Hats know that if they can find and exploit a vulnerability in an app, they have a better than one in three chance of pulling off a successful data breach. What's more, the likelihood of finding a vulnerability in an app is good, too. Contrast Security says 90 percent of apps aren't tested for vulnerabilities during their development and quality assurance stages, and even more go unprotected during production.

With so many vulnerable apps running in the enterprise, the challenge for network defenders is how to protect those apps from attack. One way is to have the applications protect themselves by identifying and blocking attacks in real time. That's what technology called Runtime Application Self-Protection (RASP) does. 

Get Report2015 Gartner Magic Quadrant for Application Security Testing (AST)

What is RASP?

RASP is a technology that runs on a server and kicks in when an application runs. It's designed to detect attacks on an application in real time. When an application begins to run, RASP can protect it from malicious input or behavior by analyzing both the app's behavior and the context of that behavior. By using the app to continuously monitor its own behavior, attacks can be identified and mitigated immediately without human intervention.

RASP incorporates security into a running application wherever it resides on a server. It intercepts all calls from the app to a system, making sure they're secure, and validates data requests directly inside the app. Both web and non-web apps can be protected by RASP. The technology doesn't affect the design of the app because RASP's detection and protection features operate on the server the app's running on.

How RASP works

When a security event in an app occurs, RASP takes control of the app and addresses the problem. In diagnostic mode, RASP will just sound an alarm that something is amiss. In protection mode, it will try to stop it. For example, it could stop the execution of instructions to a database that appear to be a SQL injection attack.

Other actions RASP could take include terminating a user's session, stopping an application's execution, or alerting the user or security personnel.

Developers can implement RASP in a couple of ways. They can access the technology through function calls included in an app's source code, or they can take a completed app and put it in a wrapper that allows the app to be secured with a single button push. The first approach is more precise because developers can make specific decisions about what they want protected in the app, such as logins, database queries, and administrative functions.

Whichever method is used with RASP, the end result is like bundling a web application firewall with the application's runtime context. That close connection to the app means RASP can be more finely tuned to the app's security needs.

Go beyond the perimeter for better app security

RASP shares some characteristics with traditional firewalls. For example, it looks at traffic and content and can terminate sessions. However, firewalls are a perimeter technology and can't see what's going on inside the perimeter. They don't have a clue what's happening inside applications. In addition, the perimeter has become more porous with the rise of cloud computing and the proliferation of mobile devices. That has reduced the effectiveness of both general-purpose firewalls and web application firewalls (WAFs).

"Security consultants have a love-hate relationship with WAFs, because they are usually most effective the day they enter service and gradually become less effective over the course of subsequent months," Jake Williams, principal consultant at Rendition InfoSec, wrote in a paper for the SANS Institute titled "Protection for the Inside: Application Security Methodologies Compared."

"The reason for this decline in effectiveness is that WAF deployment often takes place in response to some penetration test or security incident after the organization performs a cost analysis and decides a WAF deployment is less expensive than fixing the application’s source code."

Self-protecting apps become a reality

An advantage of RASP is it can secure a system once an attacker has penetrated perimeter defenses. It has insight into application logic, configuration, and data event flows. That means RASP can thwart attacks with high accuracy. It can distinguish between actual attacks and legitimate requests for information, which reduces false positives and allows network defenders to spend more of their time combating real problems and less time chasing digital security dead ends.

In addition, its ability to self-protect an app's data means protection travels with the data from its birth to its destruction. That can be particularly useful to organizations that need to meet compliance requirements, since self-protected data is useless to data thieves. In some cases, regulators don't require reporting a data breach if the stolen data is in a form that makes it unreadable if stolen.

As with WAFs, RASP won't fix an app's source code either. However, Williams explained that it does integrate with an app's underlying code libraries and protects the vulnerable areas of the application at the source level.

"When a client makes a function call containing parameters that might cause harm to the web application. RASP intercepts the call at runtime, logging or blocking the call, depending on the configuration. This method of protecting a web application differs fundamentally from a WAF."

Better technology for BYOD, but at a price?

RASP can also benefit mobile environments. Depending on mobile operating systems, protecting apps from attacks is a dubious proposition for organizations. Protecting them with RASP can make BYOD less of a security challenge for an IT department.

On the downside, application performance can take a hit when RASP is deployed, although how much of a hit is a source of debate between critics and advocates of the technology. The self-protecting process can slow down an app, as can the dynamic nature of RASP. If that latency becomes apparent to users, it will certainly generate grousing within an organization. However, how serious the performance issue will be won't be clear until more applications start incorporating RASP into their functions.

It's also important to remember that RASP is a shield. If an application is defective, it will remain so even when protected by RASP. In addition, RASP can't protect against all classes of vulnerabilities. So while it will provide a good deal of protection for applications, it's not going to make an app as secure as it would be if security were built into the app from start to finish. For those reasons, some security experts recommend that the technology be used with other methods to secure applications.

Building in security is better, but until then...

Since RASP is still in its youth, it's believed it will be able to surmount its deficiencies and become the future of application security. As Joseph Feiman, chief innovation officer at Veracode, noted while a research vice president for Gartner:

"Modern security fails to test and protect all apps. Therefore, apps must be capable of security self-testing, self-diagnostics, and self-protection. It should be a CISO's top priority."

On the other hand, if security starts to spread deeper into the development timeline, many of the attacks RASP is designed to thwart will be built into an app's source code. That will reduce the need for RASP, but it will still be handy to protect legacy apps.

Get Report2015 Gartner Magic Quadrant for Application Security Testing (AST)
Topics: Security