"Emerging from research labs into the dynamic and highly competitive Fintech Sector in 2012-13, Runtime Application Self-Protection (RASP), a term used by Gartner to describe security technology that is embedded within an application, is now being taken seriously by forward-looking Investment Banks with a culture of technical innovation," writes Hussein Badakhchani.
A number of FinTech start-ups managed to partner with Global Investment Banks through the innovation programmes that these institutions sponsor and now in 2016 and the first fruits of these endeavours have reached maturity with RASP technologies running on production infrastructure, in some cases for well over a year, securing a broad range of retail and back office applications.
This is significant as the proponents of RASP were making some big claims for the technology that many in the Cyber Security industry were highly skeptical of. RASP promised to solve some of the most significant deficiencies found in traditional Web Application Firewalls, namely the complexity of managing large numbers of highly specific rules and, perhaps more importantly, the large numbers of false positives generated by this approach. Over the last year, however, confidence in the claims being made by RASP vendors has strengthened significantly as RASP has proven its worth to the early adopters of the technology and this development has not been missed by their more cautious peers in the industry.
The key capabilities of RASP and the business benefits they translate into are Precision Application Protection, Virtual Patching, and Zero Day Vulnerability Mitigation.
Precision Application Protection
Precision Application Protection refers to RASP’s ability to almost entirely eliminate false positives. RASP technologies can do this by virtue of running within the application tier and thus having access to application data and being able to differentiate between the two. This ability to unambiguously identify user and application data is central to for detecting tainted code; code that has malicious logic injected within it, without generating false positives. The technology is sophisticated and based on sound reasoning, so far it seems to have delivered on expectations.
Beyond the elimination of false positives, the most common attack vectors, for example, SQL Injection, Cross Site Scripting, and Command Line Injection, can all be mitigated using simple generalized rules. Some RASP technologies can mitigate all SQL Injection attempts with a single one-line rule that tells the RASP engine to enable protection for that class of vulnerability. When compared to the reactive nature of WAF and the overhead of managing large numbers of rules the business benefits are clear; pre-emptive security that is considerably simpler to affect and maintain.
One aspect of Virtual Patching is the ability to host legacy code within a virtual container that effectively secures the application to the extent as though it was running in an updated and compliant version of the runtime. It has to be stressed that to qualify for RASP Virtual Patching there must be no code changes, reconfiguration or compilation of the application. The business should be able to run the legacy application within the RASP container without minimal effort, to benefit from the upgraded security.
For a large business with mission-critical legacy applications that cannot be upgraded due to technical constraints or lack of expertise, Virtual Patching offers the most cost efficient form of maintaining compliance with regulators' demands and their own security policies. Virtual Patching can also refer to the ability to replicate the effect of binary patches with RASP. This is significant for the business as applying binary patches to hundreds or thousands of application components can be a complicated process, requiring not only engineering resources, but also scheduled downtime to affect the patch and allowing application teams to complete their testing. Depending on the implementation of RASP, Virtual Patching can be a non-intrusive, centrally managed, operation that can dynamically patch applications without disruption to normal operation or scheduled downtime thus resulting in considerable cost saving and reduced risk when compared to binary patching.
Zero Day Vulnerability Mitigation
The general nature of the rules that can be configured for RASP technologies means that they can disable the most common execution vectors exploited by Zero Day Attacks. For example, RASP technologies can be configured to deny the creation of client and server sockets or file descriptors, either entirely if the application has no need of them or allowing descriptor creation for the exact port numbers and file locations used by the application. This fine-grained control can stretch to every aspect of the application runtime.
While it is possible to configure this kind of resource access control at the Operating System (OS) or Hypervisor level it remains cumbersome and error prone for many large enterprises to manage application security at the OS level. RASP offers a far more agile alternative over attempting application security at the OS level.
Now that the benefits of RASP have been realized, security professionals need to better understand how and where it is best utilized and the impact it will have on the resources being allocated to more traditional forms of IT Security. Business in highly regulated sectors that are under pressure to reduce costs will look to RASP to eliminate the inefficiencies of traditional security infrastructure while simultaneously improving their overall level of protection.