DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. What Is RASP?

What Is RASP?

How can you protect today's dynamic applications? This article takes a look at Runtime Application Self-Protection.

Goran Begic user avatar by
Goran Begic
·
Oct. 20, 16 · Opinion
Like (2)
Save
Tweet
Share
3.64K Views

Join the DZone community and get the full member experience.

Join For Free

Developers are embracing dynamic languages like Python, Node.js, and Java to build complex web applications, but the increasing pace of development adds to the difficulty of securing these apps.Runtime Application Self-Protection, or RASP, is an emerging technology that adds vulnerability protection right into the app, preventing exploitation of vulnerabilities in real-time. So how does it work?

With RASP, security controls are incorporated into the application runtime engine, such as the Java virtual machine. This approach gives RASP solutions complete visibility into the application’s logic, data flows, and configuration.

Ultimately, RASP solutions safeguard applications by blocking a range of sensitive operations inside the application. Unlike other application security approaches, with RASP, this is possible without the need for complex code changes. RASP protects against threats such as cross-site scripting errors and SQL injection, and it can detect and deflect Account Takeover (ATO) attacks, the largest category of threats to web applications today.

How RASP Compares to WAFs

With the continuous and growing threat to web applications and web services, Web Application Firewalls (WAFs) alone aren’t sufficient to protect these critical business assets. WAFs, in general, rely on a large number of specific rules that must be matched to specific threats. These rules must also be configured to allow the application to function correctly. This creates significant complexity and overhead in WAF maintenance so that the WAF can protect against a basic set of attacks. Companies need faster, more comprehensive solutions to address vulnerabilities across the entire software development lifecycle, even in production environments.

RASP allows organizations to mitigate and prevent the exploitation of a range of sophisticated threats against web applications, including code-level vulnerabilities such as cross-site scripting, SQL injection, directory and file traversal, command injection threats, and more.

Moving Beyond Attack Signatures

WAFs rely heavily on attack signatures to identify and block bad input. What this means in practice is that an attacker can bypass WAF protection simply by adding extra encoding to a request so that it no longer matches any of the signatures the WAF is configured to block. The payload arrives at the application, the additional encoding is stripped away, and the damage is done.

With RASP, the protection is inside the application, so the protective measures are cognizant of the execution context inside the application. Furthermore, as demonstrated by IMMUNIO, RASP technology can be utilized to shield against a wide range of threats including zero days without having to build and maintain a database of threat signatures. It doesn’t matter how many attack variants are thrown at the app – they won’t get through.

Ideally, companies will employ a mix of different approaches to safeguard web applications. There’s no one ideal solution to finding all vulnerabilities. But increasingly today, organizations are turning to RASP to address threats that make it past network perimeters.

Application security

Published at DZone with permission of Goran Begic, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Memory Debugging: A Deep Level of Insight
  • Beginners’ Guide to Run a Linux Server Securely
  • Handling Virtual Threads
  • 2023 Software Testing Trends: A Look Ahead at the Industry's Future

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: