Protecting Applications From Within: Why Conventional App Security Practices Are Not Enough

There are several things app developers do to make sure the code they write is almost bug-free and secure. However, it is not possible to create a flawless and vulnerability-free code. In his book Code Complete, renowned software engineering expert Steve McConnell states there are about 15–50 errors per 1000 lines of delivered code.

According to statistics from the National Institute of Standards and Technology Vulnerability Database, as of December 19, 2021, the number of vulnerabilities in production code reached 18,400. This number is slightly higher than the figure recorded in 2020 and shows the fifth consecutive year of record-breaking vulnerability numbers.

No matter how meticulous the coding process and review are, it is virtually impossible to have zero errors and no security vulnerabilities. Bolstering app security is not just a matter of heeding recommendations; it is essential, especially amid a brewing global cyberwar.

How Organizations Secure Their Apps

Conventionally, organizations protect their apps through several methods. These include data encryption, the scrutiny of libraries, and the use of high-level authentication. They may also use tamper-detection technologies and limit their APIs to an authorized version.

Some go as far as instituting the principle of least privilege to limit the opportunities for threat actors to find and exploit weaknesses in apps. Some deploy advanced session handling systems using a token system instead of device identifiers.

These do not cover all threats and risks, though. Cybercriminals never run out of attacks to try on apps that have weaknesses. They can turn to clickjacking, HTTP response splitting and method tampering, path traversal tactics, the feeding of malformed content types to web apps, unvalidated redirects, and software supply chain attacks. They can also do command injection, JSON and XML injection, SQL injection, cross-site scripting, CSS and HTML injection, and cross-site request forgery.

With these attacks and vulnerabilities in mind, it is necessary to adopt more sophisticated security solutions such as runtime application self-protection (RASP). Many organizations now realize the importance of new security measures like RASP attack detection.

Securing Apps Inside Out With RASP

Runtime application self-protection is a security technology designed to detect and stop cyberattacks through runtime instrumentation. It leverages information contained in an app while it is running. It is integrated into the application runtime environment to provide high-level security, including protection from zero-day attacks.

RASP (a term coined by Gartner around a decade ago) is a server-based technology that incorporates security into a running application. It works by analyzing the behavior of the app according to specific contexts. A benchmark of normal behavior determines if certain actions are considered abnormal or harmful. RASP enables continuous self-monitoring within an app to protect it from various threats, including data theft and malicious inputs.

RASP regulates calls from the app to a system. Before any call is allowed, it must be verified as secure first. The technology validates data requests within the app while securing the runtime environment from tampering and unauthorized or unwanted changes. These functions allow apps to automatically prevent threat actors from exploiting vulnerabilities without disrupting the normal functioning of apps.

Additionally, RASP helps generate application threat intelligence. It forwards information to the security team, such as who is attacking, the target victim (i.e., applications), and the techniques used. Since these are information accumulated within the apps, threats can be tracked down to the code level, providing security teams extensive security visibility.

Why Protecting Apps From Within Is Better

As mentioned previously, RASP can fend off zero-day attacks because its ability to detect threats does not rely entirely on threat IDs. Unlike perimeter security solutions, its function is not dependent on a constantly updated threat intelligence system. It identifies and blocks potentially harmful actions based on app behavior.

The strategy of securing apps from within through solutions like RASP is not a replacement for perimeter defenses. It provides another layer of protection, but it is not advisable to remove network-based security controls because RASP is already operational.

Protecting apps from within through RASP provides the advantage of harnessing the power of contextual information available within a running application. This security solution makes excellent use of information about the app's code, framework configuration, libraries, runtime data flow, app server configuration, runtime control flow, and more to detect threats without waiting for updated threat intelligence.

The conventional methods for securing apps mentioned above rely on an external (from the app) threat intelligence system to identify threats or impose heavy restrictions that may get in the way of smooth app functioning. Conventional app tampering and threat detection technologies do not effectively work if they do not have the latest cyber threat information. They usually do not have internal mechanisms that can raise suspicions over something that does not appear to conform to typical app behavior.

Moreover, a security solution embedded into the app can address insider threats. Apps secured with RASP have contextual awareness that detects potential issues brought about by malicious insiders and those who pose risks because of their carelessness or negligence.

Whether RASP is more accurate in detecting and blocking threats compared to sophisticated perimeter defenses is a question that requires more conclusive studies or tests. However, what is certain is that RASP significantly improves app security. Some vendors clarify that web application firewalls (WAF) supplemented with RASP provide considerably better protection. WAF takes charge of known exploit payloads, while RASP deals with the unknown.

Supplementing Best Practices

While some cybersecurity institutions or authorities already consider using RASP and other advanced cybersecurity technologies as part of app security best practices, some still regard RASP solution providers as third-party additional security options (read: nonessential). Either way, securing applications from within is most certainly not a bad idea.

RASP protects against critical threats such as the OWASP Top 10 vulnerabilities, which include various types of:

• Injections
• Broken authentication
• Sensitive Data Exposure
• Hostile XML Content
• Broken Access Control
• Misconfigured Access controls

RASP also protects against other security settings, cross-site scripting, non-secure deserialization, inadequate error logging, monitoring, and the use of components with known vulnerabilities. The benefits of security integrated within the app are incontrovertible.

REFERENCES

Gartner, Runtime Application Self-protection (RASP). Retrieved March 12, 2022: https://www.gartner.com/en/information-technology/glossary/runtime-application-self-protection-rasp

Google, App Security Best Practices. Retrieved on March 12, 2022: https://developer.android.com/topic/security/best-practices

NIST, National Vulnerability Database - CVSS Severity Distribution Over Time. Retrieved on March 12, 2022: https://www.gartner.com/en/information-technology/glossary/runtime-application-self-protection-rasp

OWASP, OWASP Top Ten Vulnerabilities. Retrieved on March 12, 2022: https://owasp.org/www-project-top-ten/