DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations
Building Scalable Real-Time Apps with AstraDB and Vaadin
Register Now

Trending

  • Introduction To Git
  • Authorization: Get It Done Right, Get It Done Early
  • Transactional Outbox Patterns Step by Step With Spring and Kotlin
  • Replacing Apache Hive, Elasticsearch, and PostgreSQL With Apache Doris

Trending

  • Introduction To Git
  • Authorization: Get It Done Right, Get It Done Early
  • Transactional Outbox Patterns Step by Step With Spring and Kotlin
  • Replacing Apache Hive, Elasticsearch, and PostgreSQL With Apache Doris
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Changing the AppSec Paradigm

Changing the AppSec Paradigm

New, best-in-class technologies such as Runtime Application Self-Protection (RASP) can help organizations overcome these issues. With RASP, we can fundamentally change the AppSec paradigm.

Goran Begic user avatar by
Goran Begic
·
Nov. 04, 16 · Opinion
Like (3)
Save
Tweet
Share
4.24K Views

Join the DZone community and get the full member experience.

Join For Free

Traditional approaches to application security are outdated and inefficient. With many organizations suffering from a web application security skills gap, the situation will likely get worse before it gets better. Increasingly, those who write code lack the requisite knowledge to keep it secure over time. This means that apps are at risk of being exploited due to flaws in their design or deployment.

New, best-in-class technologies such as Runtime Application Self-Protection (RASP) can help organizations overcome these issues. With RASP, we can fundamentally change the AppSec paradigm.

What makes RASP so different? It provides significantly broader security protections for web apps than legacy solutions such as Web Application Firewalls (WAFs). It’s simpler and less expensive to deploy and maintain, and it drastically reduces the risk of exploitation.

Minimizing Exploitation Is the Future of AppSec

Today’s AppSec solutions are focused almost entirely on minimizing risk by minimizing exposure. These solutions aim to identify vulnerabilities all through the code in applications so that organizations can (eventually) remediate those vulnerabilities. But what happens in the meantime? The delay between finding and fixing such flaws represents a major opening for attackers.

At IMMUNIO, we believe that a better and more effective approach to this problem is to make sure that code vulnerabilities (which are inevitable) can’t be exploited by attackers to harm your company’s systems, data, or customers. 

Outdated and Insecure Third Party Components Are Also Your Application

Modern web applications are often built with frameworks that define large portions of application functionality. Such frameworks are often much more resilient to exploitation than their older counterparts, or custom code, but they are not immune to it. Also, new frameworks age fast and once their weaknesses are exposed all applications using the compromised version of the framework become that much more insecure. Here are some examples of severe vulnerabilities reported in major Python, Ruby and Node.js frameworks:

  • Node.js Advisories
  • Ruby on Rails Security Google Group
  • RubySec Advisories
  • Django Security Archive

Code That Trusts User Input Can Open Doors to Exploitation

When hackers identify code that trusts user input, they can develop inputs that can exploit inherent weaknesses in the underlying technology. Manipulation of application inputs dominate lists of critical vulnerabilities like OWASP Top 10.

The traditional AppSec approach is to focus on finding vulnerabilities through pen testing, source code review and static analysis, and then remediating those vulnerabilities.

These practices are essential for improving security of new applications, but they often rely on 
human expertise and resources required for proper remediation in the code. Furthermore, it is often very hard to prioritize issues without fully understanding the impact of the deployment configuration and other protective measures on exploitability of these vulnerabilities.

As a result, this approach, while essential, can be painstakingly slow, taking months, or years before it has significant impact on risk reduction.

Blocking Exploitation With RASP

Preventing vulnerabilities from being exploited in the first place is the main focus of RASP solutions. The vulnerability isn’t realized until an exploit is leveraged by an attacker. Preventing the harm that results from vulnerability exploitation is simpler than launching a difficult--and likely fruitless--search for every possible vulnerability in application code.

Application security Web application Vulnerability

Opinions expressed by DZone contributors are their own.

Trending

  • Introduction To Git
  • Authorization: Get It Done Right, Get It Done Early
  • Transactional Outbox Patterns Step by Step With Spring and Kotlin
  • Replacing Apache Hive, Elasticsearch, and PostgreSQL With Apache Doris

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com

Let's be friends: