Developers are embracing dynamic languages like Python, Node.js, and Java to build complex web applications, but the increasing pace of development adds to the difficulty of securing these apps.Runtime Application Self-Protection, or RASP, is an emerging technology that adds vulnerability protection right into the app, preventing exploitation of vulnerabilities in real-time. So how does it work?

With RASP, security controls are incorporated into the application runtime engine, such as the Java virtual machine. This approach gives RASP solutions complete visibility into the application’s logic, data flows, and configuration.

Ultimately, RASP solutions safeguard applications by blocking a range of sensitive operations inside the application. Unlike other application security approaches, with RASP, this is possible without the need for complex code changes. RASP protects against threats such as cross-site scripting errors and SQL injection, and it can detect and deflect Account Takeover (ATO) attacks, the largest category of threats to web applications today.

How RASP Compares to WAFs

With the continuous and growing threat to web applications and web services, Web Application Firewalls (WAFs) alone aren’t sufficient to protect these critical business assets. WAFs, in general, rely on a large number of specific rules that must be matched to specific threats. These rules must also be configured to allow the application to function correctly. This creates significant complexity and overhead in WAF maintenance so that the WAF can protect against a basic set of attacks. Companies need faster, more comprehensive solutions to address vulnerabilities across the entire software development lifecycle, even in production environments.

RASP allows organizations to mitigate and prevent the exploitation of a range of sophisticated threats against web applications, including code-level vulnerabilities such as cross-site scripting, SQL injection, directory and file traversal, command injection threats, and more.

Moving Beyond Attack Signatures

WAFs rely heavily on attack signatures to identify and block bad input. What this means in practice is that an attacker can bypass WAF protection simply by adding extra encoding to a request so that it no longer matches any of the signatures the WAF is configured to block. The payload arrives at the application, the additional encoding is stripped away, and the damage is done.

With RASP, the protection is inside the application, so the protective measures are cognizant of the execution context inside the application. Furthermore, as demonstrated by IMMUNIO, RASP technology can be utilized to shield against a wide range of threats including zero days without having to build and maintain a database of threat signatures. It doesn’t matter how many attack variants are thrown at the app – they won’t get through.

Ideally, companies will employ a mix of different approaches to safeguard web applications. There’s no one ideal solution to finding all vulnerabilities. But increasingly today, organizations are turning to RASP to address threats that make it past network perimeters.