Runtime application self-protection (RASP) tools block potentially malicious activity while an application is in production. RASP watches a company’s application at runtime, analyzing its behavior as well as the context in which the behavior occurs. If RASP detects a security event such as an attempt to run a shell, open a file, or call a database, it will automatically attempt to terminate that action. RASP can ward off major forms of web application attacks such as cross-site scripting (XSS) and SQL injection (SQLi) as well as attempted account takeovers and other zero-day exploits. RASP can also be beneficial to businesses with lean security resources because it can automatically block attacks on the spot without the need for human intervention.
As attacks on web applications continue to rise, businesses are finding it challenging to properly safeguard all of their applications, some of which may harbor vulnerabilities that were not identified or mitigated early on within the software development lifecycle (SDLC) or through various types of application security testing. This is why including protection within the application itself helps companies better balance security requirements with the imperative to roll out apps in a timely manner.
RASP can both detect and block attacks on applications in real time. Because RASP instruments in the application at runtime, it has visibility into the application’s actual behavior. Instead of analyzing preset signatures or known patterns based on commonly known attacks, as a web application firewall (WAF) would, RASP can look for suspicious actions that are taking place in the application.
This cuts down on false positives and the noise typically generated by WAFs, alerting the security team to actual malicious activity so it doesn’t have to guess at the impact of random suspicious network events. By providing more accurate alerts, RASP also frees the security team to focus on strategic security priorities. RASP can also issue user warnings, educating legitimate users that have unintentionally placed risky requests on why their request was denied.
Since RASP has the benefit of knowing an application’s runtime context, it can deliver security that is better tailored to the app’s specific requirements—all without requiring changes to the application code. Unlike web application firewalls (WAFs), which filter traffic and content at the perimeter but have no visibility into activities that may be taking place within the perimeter itself, RASP can still defend applications from an attack even after an attacker has breached perimeter defenses. In an increasingly complex environment with multiple endpoints that could be compromised, this can be a valuable asset to an organization’s application security.
As Gartner explains, RASP is “a security technology that is built on or linked into an application runtime environment, and is capable of controlling application execution, and detecting and preventing real-time attacks.” Often via an agent placed into the server, RASP adds security checks into applications that are running there. RASP then continually evaluates calls to these applications to ensure that they are safe and can proceed.
When an apparently unsafe call occurs, RASP steps in and blocks it—for example, by terminating a suspicious user session or denying a request to execute a specific application. This extra layer of security at the application layer, particularly when combined with secure software development practices and other application security tools, can greatly strengthen an organization’s overall application security. RASP can also give the security team timely and accurate alerts into real-time malicious actions as they are taking place in the application environment, facilitating rapid response in the event of an attack.
Since RASP doesn't require changes to the application code, it doesn’t affect application design—which means the company is free to continue developing and refining the application as needed. This may be especially beneficial in the event that a business is maintaining apps within its environment for the foreseeable future. When used in combination with a WAF, which typically excels at identifying patterns of suspicious activity originating from multiple sources such as in a botnet attack, a RASP can deliver valuable real-time insight into actual threats that an organization faces. While WAF can give you one view, you need more insight into what’s executing to see the whole picture.
RASP sometimes gets confused with its cousin, the web application firewall (WAF), but these two technologies are actually distinct from one another. Whereas a WAF continually analyzes application traffic at the perimeter for potential malicious activity using static rules based on known forms of attack, RASP blocks malicious activity from occurring within the application itself.
A WAF will often require a learning period in order to be effective and still may not be nimble enough to fend off newer forms of attack that it has not seen before, leaving a business potentially vulnerable during the window of time when the WAF has not yet received new rules to combat the emerging threat. A RASP, however, provides a far more adaptable real-time defense against a variety of attacks at the application layer.
Since RASP uses the application itself, it can still monitor and protect an application’s security even as it is continually updated and further developed. WAF and RASP can complement one another, combining forces to provide a business with more comprehensive and robust application security. WAFs give you visibility of what kind of requests are being sent to the application (for instance, if someone has a suspicious request pattern such as a bot brute-forcing a password or someone probing the application for vulnerabilities with a tool such as Metasploit). RASP, on the other hand, looks at what the application is doing with those requests. So, in the case of someone using Metasploit, the app owner can see that an exploit has resulted in a file being written to where it should not be, an executable being run on the system, unauthorized SQL access, or some unintended assets being loaded on a web page browser-side that could result in data exfiltration.
Here are three tips to make the most out of a RASP solution:
RASP is great at fending off many forms of attack such as cross-site scripting and SQL injection at runtime, but it should not be solely relied on for protecting a business against every application security threat that exists. By adopting a DevSecOps approach in which security is moved leftward within the SDLC and making sure you have a comprehensive application security program in place, you stand a far better chance of preventing an attack. Depending on your company’s unique security requirements, you may also opt to run a RASP solution with built-in WAF capabilities to maximize the advantages that both tools offer.
As you’re evaluating a RASP offering, consider how it may work with other tools you already have in place, particularly DevSecOps systems. An advanced RASP tool might integrate with your existing SIEM, DAST, Orchestration, and ticketing systems, for example. This integration allows your company to incorporate multiple threat intelligence feeds through APIs, web hooks, and leading technologies so you can better monitor and block threats in real time.
Because RASP integrates so closely with the applications it monitors, it can sometimes cause performance issues. If these issues are significant enough to have an impact on the users, they may complain about the change in performance. For this reason, it’s wise to carefully test your RASP solution to make sure you understand how it affects application performance before implementing it within your environment.