RASP Adoption - A View From The Trenches: Part I

Runtime application self-protection (RASP) is one of the newest security technologies. In the early stages of adoption in the industry, this method of protecting web apps promises dynamic defense and automatic mitigation of vulnerabilities.

Last Thursday I provided an overview of my experiences with RASP adoption to help security teams get a better understanding of how to determine the need for this technology and how to evaluate the technology before you buy it.

RASP is a concept coined by Gartner, to refer to a set of technologies that are designed to protect the integrity of web applications and their data from the inside. Other security technologies focus on finding issues before production. RASP is all about protecting the app after it was deployed in production. The technology behind RASP varies by vendor—there are different products that focus on different use cases. Some use agent-based technology added to and/or packaged with the app, others use VM instrumentation, others rely on libraries and APIs to address logic from outside the application, and others use signatures, which is similar to a web application firewall (WAF) that is placed inside the application.

Attackers try to get web applications to do something they are not designed to do. Unlike web application firewalls, RASP solutions have access to contextual information about application execution. Here is an overview of information that is available to a RASP solution and the application that it protects:

• Who is interacting with me? The system understands what valid requests look like based on information such as HTTP request, usernames, IP addresses, and geolocation.
• What am I about to execute? The system evaluates the application as it executes in real time, which functions are called, what a backtrace looks like, what a normal server response looks like.
• What was I designed to do? The system knows the relevant methods, libraries, and source code used in a particular application.

In Part II of this blog series, I will provide an overview of features and use cases that vendors build on top of this information and how it all works. 

During the webinar session, there were a number of questions. Here is an overview of typical questions that follow an introduction to this topic.

Questions About RASP

What Is the Role of RASP Versus Web Application Firewalls (WAF)?

Both RASP and WAF aim at addressing the same problem - protection of one, or more applications. They approach it in completely different ways.

WAF is focused solely on protecting against known types of attacks whereas a more deeply embedded technology like RASP allows protection against categories attacks including a good portion of zero-day vulnerabilities.

WAF is unaware of an application, its execution, or its lifecycle. It is often run by operations teams that are not connected with the engineering team building the application.

A WAF solution tries to control access to the application and provide protection by monitoring incoming traffic, typically HTTP requests. It typically does that by utilizing a large number of very specific rules called signatures that need to be frequently updated and maintained in order to adjust to the changes in the application.

RASP monitors not just the incoming traffic, but also the reaction of the application to the external input. This allows for simpler configuration, more generic protection patterns, better precision and less maintenance overhead.

Another side-effect of RASP is that it requires security operations teams to collaborate with developers and DevOps groups because technology needs to be deployed inside the application and, depending on the vendor, managed as own code, or a third party component.

What About Zero Day Attacks?

An agent-based solution like IMMUNIO monitors application execution patterns and not just traffic. In injection attacks, for example, the attacker tries to change data and control flow of the application through external input. IMMUNIO monitors changes in the execution of the application and blocks dangerous events even if they are permitted by often vulnerable underlying technology. In such implementations, any client that induces a potentially dangerous execution pattern is detected, recorded and, if protection is enabled, stopped before any damage is done.

What Languages Are Supported by RASP?

Most vendors support Java and .NET. However, some vendors like IMMUNIO have a broader scope of support including for Ruby, Python, Node.js and soon Scala and PHP as well. All vendors are trying to cover as much space as possible because the majority of business deal with diverse ecosystem of applications in their portfolio.

Keep an eye out for Part II, coming soon!