X

Runtime Application Self Protection (RASP) Security

Understanding RASP Software: Enhancing Security for Applications from Within Start the ADR Sandbox
Table of Contents

What is RASP security?

Coined by Gartner in 2012, Runtime Application Self-Protection, RASP, is an emerging security technology that lets organizations stop hackers’ attempts to compromise enterprise applications and data. Built into an application or application runtime environment, runtime application self protection technology is capable of controlling application execution, detecting vulnerabilities, and preventing real-time attacks. A RASP solution incorporates security into the running application wherever it resides on a server. Being server-based, RASP security is able to detect, block, and mitigate attacks immediately, protecting applications as they run in real time by analyzing both application behavior and context. By using the app to continuously monitor its own behavior, RASP has the ability to protect an application from data theft, malicious inputs and behavior – without human intervention.

Why RASP security is important

Technologies such as intrusion prevention system (IPS) and web application firewall WAF are often used for application protection at runtime, but they work in-line as they inspect network traffic and content. As they analyze traffic and/or user sessions to and from applications, they cannot see how traffic and data are being processed within applications. Because their protective measures often lack the accuracy necessary for session termination, they can consume considerable amounts of security team bandwidth and are typically used for alerts and log collection only. What is needed is a new type of application protection technology – RASP – which resides within a to-be-protected application’s runtime environment.

Security challenges runtime application self-protection can address

RASP tests can address the most serious security challenges involved in the protection of web applications and APIs including:

  1. An HTTP request that's completely harmless for one application or API could be devastating for another. Also, data can look different “on the wire” than it does when it shows up in an application (referred to as an "impedance mismatch" problem).
  2. Modern applications using a variety of protocols beyond just HTTP, including WebSocket, which are generated by JavaScript in the browser, rich clients, mobile applications, and many other sources.
  3. Most large organizations have a WAF in place, many do not have the teams and expertise required to do the tuning necessary to keep it operational, leaving it in "log mode" only.
  4. Containers, IaaS, PaaS, virtual, and elastic environments. These allow applications and APIs to be deployed quickly, but expose code to new vulnerabilities. DevOps has also rapidly accelerated the rate of integration, deployment, and delivery, complicating the process of ensuring the security of rapidly evolving software.

Fortunately, Runtime Application Self-Protection RASP can address many of these concerns.

How RASP security software works

RASP is a powerful technology that intercepts all calls from the app to a system, making sure they're secure. It validates data requests directly inside the app. It improves overall application security by monitoring inputs and blocking those that could allow attacks, while protecting the runtime environment from unwanted changes and tampering. RASP vendors offer unprecedented visibility and protection, blocking attacks quickly and effectively until the underlying vulnerabilities can be addressed.

Two primary RASP capabilities are:

  1. Application protection: Accurately stopping application vulnerabilities from being exploited without disrupting legitimate application use.
  2. Application threat intelligence: Giving security teams visibility into who is attacking, the techniques they are using, and the applications they are targeting down to the code level.

Key benefits of RASP testing

What makes RASP testing unique is that it works from inside the software, rather than as a network device. This allows RASP to take advantage of all the contextual information available inside the running application or API, including the code itself, framework configuration, application server configuration, libraries and frameworks, runtime data flow, runtime control flow, backend connections, and more. More context means broader protection and better accuracy.

1. RASP delivers lower CapEx and OpEx:

  • RASP solutions block attacks quickly and effectively until the underlying vulnerabilities can be addressed.
  • They are considerably less expensive to deploy and operate than WAF.
  • They deploy onto existing servers, avoiding capital expense.
  • RASP technology observes what the application actually does, and therefore does not require the same type of tuning, model building, verification, or human resources.

2. RASP accuracy means more protected applications:

Protecting applications from attacks has historically meant attempting to block them at the network level. But legacy approaches are inherently inaccurate when it comes to understanding application behavior because they are outside of the application itself. Also, network-based application security products generate too many false positives and require constant tuning. Over the last 25 years, network protection has moved increasingly close to the application – from the firewall, to the intrusion prevention system, to the WAF. With RASP, security has moved in inside the application.

  • RASP instrumentation delivers a level of accuracy not possible with legacy approaches.
  • It enables application security to be positioned literally within the application.
  • Increased accuracy transforms the adoption equation, allowing organizations to confidently protect more of their data and application portfolio with fewer resources.

3. RASP is cloud and DevOps-ready:

  • RASP works well with agile development, cloud apps, and web services.
  • It accelerates agile development by offering protection without rework, unlike WAF solutions, that need constant tuning.
  • RASP solutions observe actual application behavior, so they don’t need to recalibrate statistical and other models.
  • The RASP application is faster and more accurate.
  • RASP moves seamlessly with the application, whether in the cloud or on-premises, as the application scales up or down.
  • RASP-enabled applications are agnostic about whether an attack arrives via an API or a user interface.

4. RASP delivers unprecedented application monitoring:

  • RASP simplifies application security monitoring by instrumenting the entire application.
  • RASP policies can be created to generate log events when relevant portions of the application are accessed or other conditions are met (e.g., logins, transactions, privilege changes, data manipulations, etc.).
  • Policies can also be added and removed as necessary – for example, as part of incident investigations.
  • With RASP, all of this application logging is possible without modifying application source code or redeploying.

5. RASP is excellent at providing visibility into application layer attacks:

  • RASP continuously provides information about who is attacking you, what techniques they are using, and which of your applications or data assets are being targeted.
  • In addition to full HTTP request details, RASP provides application details including the exact line(s) of code associated with a vulnerability, exact backend connection details (like SQL query), transaction information, and currently logged-in user.
  • Using RASP provides instant visibility to software development teams, helping to prioritize work and take coordinated action on security defenses.

Because RASP isn't a hardware box, it can be deployed easily in all environments, including development and testing. RASP enables instant visibility into application attacks and quickly stops hacks. The result: applications that can defend themselves against attacks in real-time.

Contrast Protect with runtime application self protection

Application security has long been split between development, where testing is crucial, and operations, where protection is paramount. Contrast Protect (with RASP) uses deep security instrumentation to gain insight into exactly how attacks behave, automatically weaving visibility and protection directly into applications, without requiring any application changes. Contrast Protect doesn’t need to “learn” applications – instead it becomes part of them. And, unlike other runtime application self-protection solutions, Contrast does not require any changes to applications or the runtime environment.

Contrast Security is the world’s leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast's patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development, to operations, to production.

Learn more about Contrast Security