Over the past few years, RASP (Runtime Application Self-Protection) has become a hot topic of discussion among software security specialists. Recent market research predicts that the global RASP security market will witness tremendous growth and will post a CAGR of nearly 44% between 2016-2020.
This seems like a good time to take a look at RASP basics: What is RASP? Why do developers need it? Does it live up to the hype?
RASP – Runtime Application Self-Protection
The term RASP - Runtime Application Self-Protection, was introduced to the world in a Gartner report from 2012, and is defined in their IT Glossary as: “a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks”.
In other words: RASP is a technology protecting applications in real-time from the inside - as opposed to more traditional security tools that are external and network-located like firewalls or intrusion prevention systems. RASP prevents attacks in real-time automatically, with no human intervention, by “self-protecting” or reconfiguring automatically in response to certain conditions.
RASP monitors and protects applications against an ever-expanding range of threats, such as SQL/command injections, cross-site scripting (XSS), data exfiltration, account takeovers, Security bots/scanners, and more.
Do I need RASP if I already have a top of the line Firewall solution?
In one of our previous blog posts, we provided a guide to application security tools. The high percentage of cyber-attacks to application layers due to neglected security, along with the need for agile work processes, demands software teams to implement runtime application protection methods.
RASP is embedded into the application codes: the monitoring, detection, and protection security features are added to the servers that the application runs on. Calls to the server are intercepted by RASP to check their security and perform the required protection measures. Data requests are then validated directly into the application, without affecting its’ design. Capabilities may include coverage, performance, integration, and real-time alerting - depending on the RASP’s deployment model.
Though some of these protective methods might seem similar to advanced firewall security solutions, there are some major differences between these protection methods.
Firewalls protect software from the “outside”: this means they are set around a pre-defined perimeter. While they may do a good job of inspecting traffic and content, terminating or validating them within the perimeter - they are incapable of monitoring data and processes inside applications. In addition, firewalls are missing applicative context like validating user behavior.
A Study by Securosis explains the fact that security and engineering teams are focusing on application layer security solutions, and are “looking for better security tool integration, along with the ability to automate security, the ability to test in pre-production, and the ability for security products to identify where issues are detected in the code. For these teams, security tools need to be as agile as their development processes.” – this is an advantage that firewalls are incapable of offering.
Is there a downside?
After reviewing the major advantages RASP technologies bring to the table, there are a few reservations in the community regarding RASP solutions.
The first issue is that unlike many other cyber-security options that offer a cover of protection to a company’s software infrastructure, RASP solutions require each application be dealt with separately – adding more work for security and engineering teams in the organization.
RASP’s advantage as a dynamic and agile tool might also present a challenge by affecting performance – this remains to be seen as RASP offerings evolve.
Another concern focuses on the fact that with RASP, organizations are protecting imperfect code with an outside solution that might not cover all of the software’s vulnerabilities. This means that RASP cannot compensate for other application security tools like SAST, DAST or open source security management tools. For these reasons, security experts consider RASP as an added layer of protection.