As a former engineer, I get getting excited around toys that blink, light up, and are otherwise technically advanced and “cool.” There are lots of us in the security world. As long as I can remember, I’ve been into technology, and I’m willing to bet you have as well.
While this bias can be advantageous to a security person’s ability to learn and rapidly understand new technology, it can also lead to expenditures on new technologies that really don’t provide enough business value to warrant purchase. You have to be careful where you spend your limited security budget and make sure that the technology you are purchasing actually provides security value for your organization. Invest in technologies that make your security posture and business better, regardless of the level of hype. Invest in business value.
The Business Value of RASP
The term RASP (Runtime Application Self Protection) was coined by Gartner Research way back in 2012, establishing a market that has recently become a valuable way to secure your web applications in production. Like most emerging technologies, it took five years and required significant changes in the technology landscape to gain traction with buyers. It wasn’t just the innovation of placing runtime security directly into your application that allowed RASP to become successful. The technology rode on the back of the shift to agile development, cloud deployments, and the rise of DevOps before becoming mainstream. Enterprises had to feel the pain and difficulty of securing modern web applications before searching for alternatives to the old and failed methods of protection.
As with any technology, there is always a problem of scale that must be solved. RASP’s problem of scale is the number and type of languages or runtimes that it supports. If you can’t support all of the applications that are in use in the enterprise, the deployment value of the RASP decreases drastically. That is the biggest drawback to RASP as an isolated technology is that it works only on certain languages and runtimes, and most RASP only vendors don’t understand the breadth of security coverage that practitioners require.
Don’t Fall in Love With a One-Trick Pony
It’s one thing to perfectly support the one enterprise app that is outwardly facing, written in Java, and runs in Apache with a MongoDB backend. Protecting that one application has value, but most organizations have hundreds of applications with a variety of languages and architectures. The value of a security technology drastically changes when it can offer security for any application that you build regardless of the technology stack, physical location, and languages in use. That’s high value.
When looking into RASP technologies, you have to take into account the number of languages and runtimes that it supports, which of those you run throughout your business, and how you can leverage the purchase of this protection technology to go well beyond a single technology stack. The reality is that enterprises have multiple technology stacks, and they use those disparate technologies in a multitude of deployment locations including on-premise, cloud, PaaS, microservice, and API models.