By: Evan Morris
October 8, 2021
How Runtime Application Self-Protection (RASP) Protects Applications From Within
By: Evan Morris
October 8, 2021
One cybersecurity problem that has been tolerated mainly as a norm is the predisposition of developers to write vulnerable code. It has been nearly two decades since The OWASP Top 10 standard awareness document for developers and web application security was released. Still, the problem of unsafe or security issue-ridden code persists.
No sensible developer intentionally writes defective code, but the realities on the ground show that vulnerable codes are still rampant. As such, cyber-attacks that target code weaknesses continue to affect organizations adversely. Cybercriminals persistently find ways to penetrate app defenses or exploit vulnerabilities that have been left unchecked and unaddressed by their developers. There are cyber defenses specifically created to address threats that target weaknesses in application codes. In addition, security providers protect apps from within to minimize or eliminate breaches.
Runtime Application Self-Protection
One of the best solutions to protect applications from within is Runtime Application Self-Protection or RASP. This modern security technology is designed to defend web applications from runtime attacks, providing a crucial augmentation to cyber protections aimed at securing perimeters.
As coined by Gartner back in 2012, RASP is a cybersecurity technology embedded in an application runtime environment to control application execution and, in the process, detect and prevent cyberattacks in real-time. It seeks to prevent hackers from compromising enterprise apps and data. Since it is an embedded security solution, it protects a running application wherever it may be on a server.
The protection afforded by RASP spans a wide range of concerns, which can be summarized as follows:
Emerging conventional and zero-day application attacks- Include large requests, HTTP method tampering, HTTP response splitting, path traversal, clickjacking, malicious or manipulated content types, software supply chain attacks, and unvalidated redirects.
Injection attacks- Involve the introduction of malicious inputs to a web application. Examples are command injection, CSS and HTML injection, cross-site scripting or XSS, database access violation, OGNL injection, JSON and XML injection, SQL injection, and cross-site request forgery.
Application vulnerabilities- As mentioned, weaknesses in application code continue to be a common problem. Insecure cookies and data transport systems; the logging of sensitive information; carelessly added exceptions; failure to detect unauthorized network activity; vulnerable dependencies; browser caching issues; cryptography weaknesses; or low-level authentication could compromise applications.
How RASP protects applications
Running applications were not necessarily unprotected before the advent of runtime application self-protection. For example, intrusion prevention systems (IPS) and web application firewalls (WAF) have been used for some time to secure apps at runtime. The problem is these solutions cannot evaluate the traffic and data that go through running applications. They cannot be used for systems that can automatically terminate sessions whenever attacks are detected.
Applications are hardly similar. Traffic or data that may be harmless for one may have adverse effects on another. The execution of various data formats such as serialized objects, JSON, and custom binary formats also adds to the complexities of obtaining reliable cybersecurity since they entail using protocols outside of HTTP. Software technology and cyber attacks are advancing rapidly.
RASP offers an advanced solution that resides within the application's runtime environment. It provides a combination of application threat intelligence and protection to achieve broad security visibility and the immediate arrest of vulnerabilities and attacks. Even better, all of these are possible without creating disruptions to legitimate app operations.
This tool takes advantage of the contextual information present in a running app or API. It takes cues from the application's code, application server configuration, framework settings, libraries, backend connections, as well as runtime data and control flows, among many others, to determine the appropriate response to threats or anomalous activities.
Even when an attacker manages to pass through the perimeter security layer, RASP can still protect apps by evaluating data and traffic based on the application logic and other contextual information mentioned above. Further, it is capable of identifying legitimate and anomalous traffic. "It can distinguish between actual attacks and legitimate requests for information, which reduces false positives and allows network defenders to spend more of their time combating real problems and less time chasing digital security dead ends," says cybersecurity journalist John Mello Jr. of TechBeacon.
On the other hand, security researcher Roshan Piyush describes the RASP solution as something with many functionalities. For example, it enables deep-rooted code-level security visibility in applications; has active and passive incident response; can adapt its configuration when alerts come to block malicious behaviors; has autonomous operation; supports multiple languages and platforms; or integrates with other security tools.
The integration with SSDLC tools is beneficial in pinpointing code's vulnerabilities following attack behaviors profiled in the production environment. RASP creates attack visibility that is highly suited to the DevOps dynamics. It provides developers a good glimpse into how an attack happens in an app, enabling quicker and better responses. In addition, the DevOps-centric security visibility helps developers implement the necessary changes in the codebase to fix or get rid of vulnerabilities.
Moreover, RASP is not limited by the cloud platform used by the app being protected. Advanced software approaches such as SDKs and dynamic hooks can institute security controls in an app's code regardless of the cloud platform or deployment environment.
The National Institute of Standards and Technology (NIST) officially acknowledges the importance of RASP in lowering cybersecurity risks. NIST SP 800-53 Revision 5 Draft has a section that explicitly mentions Runtime Application Self-Protection as a critical solution for mitigating risks attributed to software security vulnerabilities. The draft includes standard SI-7(17), which presents the need for RASP in next-generation security and privacy controls.
"These new standards are certain to have a significant impact across all industries. The NIST Cybersecurity Framework is quickly becoming the default standard in the United States, with all federal government agencies mandated to comply with NIST and many state and local governments following suit," says application security pioneer Jeff Williams.
RASP's renown as an excellent application security solution is not something it earned easily, though. Previously, it was derided because of its resource-heavy nature and latency. Now, this cloud-agnostic solution has improved significantly. Security firms have developed solutions that turn RASP into a runtime-deterministic application security platform with a profound understanding of an app's control flaws.
DevOps and agile-ready security
Runtime Application Self-Protection is regarded as a DevOps-centric web application security approach. Its cloud-agnostic design also makes it suitable for cloud environments, web services, and agile development. Unlike WAF, it protects without rework and the need for continuous tuning. Most importantly, it secures applications from within, utilizing application data and logic and framework and cloud settings.
However, RASP is certainly not a one-size-fits-all cybersecurity solution. While it is notable for its effectiveness in securing web applications, it is a specialized form of cyber defense. Hence, it has to be used in conjunction with other security controls. Organizations considering third-party RASP solutions should also be mindful of the features and functions they are getting. Being inherently compatible with DevOps and agile development does not always.