RASP: Going from "Security Bolted On" to "Security from Within"
October 17, 2016

Zaid Al Hamami
IMMUNIO

DevOps teams today churn out releases at a rapid pace, and securing these applications is more challenging than ever. Code is continuously changing, and developers must identify and fix security bugs as quickly as possible. Developers need effective tools to help reduce the risk of data breaches while the software development and release machinery is getting faster.

Generally this means a combination of static analysis, pen testing and web application firewalls – all technologies that require deep expertise to manage, need heavy customization on a constant basis, and slow down continuous release. These activities are time consuming and require niche expertise that few DevOps teams have.

At the same time, attackers are developing new strategies, and application vulnerabilities arising from legacy code are on the rise. A new report from research firm Securosis reveals that when it comes to security, DevOps teams are searching for better solutions. The report explores how an emerging technology, Runtime Application Self-Protection (RASP), provides a simpler and more effective alternative to legacy web application security tools.

The report, Understanding and Selecting Runtime Application Security and Protection, explores how DevOps teams currently address application security issues, examining the shortcomings of the current approach. Securosis notes that DevOps teams are increasingly charged with managing security and are now actively involved in selecting web application security solutions. They’re searching for automated solutions that mesh with continuous integration and continuous deployment methods, and integrate well with existing developer tools.

Moving from “Security Bolted On” to “Security from Within”

RASP solutions work by examining requests at the application layer to detect attacks and misuse in real time. They fit well into the agile development process because they’re flexible and fast. Furthermore, RASP works inside the application, meaning it can go wherever the application goes. As Securosis highlights, RASP offers a distinct blend of capabilities and usability options, making it stand out from traditional web application security solutions. With RASP, the concept of web application security evolves from "security bolted on" to "security from within."

RASP: Protecting Web Apps Before Vulnerabilities are Exploited

It's no secret that applications are vulnerable to attacks. Applications are often tested before launch, then left unsupported, which leaves the door open to security breaches. Traditional solutions such as WAFs and static testing are insufficient for today's agile development and DevOps automation environments, especially with new classes of vulnerabilities constantly emerging. The function of RASP is, as the report explains, to protect web applications before these vulnerabilities can be exploited.

Most RASP products will offer protection against the common vulnerabilities of SQL injection, Cross Site Scripting, and Remote Command Execution. Some RASP products are also particularly effective in addressing Account Takeover (ATO) attacks. ATO attacks, in which hackers access user account credentials, are the most common cyber attack vector today. In these attacks, hackers obtain session or password information, then sell these credentials for profit or use them to further penetrate corporate networks and commit fraud.

Addressing the Complex Account Takeover Threat

There are a multitude of ways in which Account Takeovers happen, from attackers guessing credentials using credential information leaked off other sites, bruteforcing passwords or session IDs, or even tried-and-true cross-site scripting (XSS). To truly reduce the risk of account takeovers, organizations need a solution that addresses the multitude of ways in which such attacks occur. RASP is positioned to address these risks: every time a user logs in, the RASP knows if their login behavior matches their normal behavior. It knows if one user is generating an abnormal number of sessions, for example. Because it can operate at the user level (instead of at the IP address layer, like most network firewall devices). It can then take protective actions, such as serving captchas or blocking just that one user account.

The move to real-time web application protection provides major advantages to developers and security engineers. The challenge becomes how to integrate innovative new technologies into the security mix, ensuring all the pieces are in place from pre-launch to post-launch. RASP solutions are simple to install and work effectively alongside other security tools including static testing and WAFs.

As attackers become more sophisticated, protection plans must too. No longer can organizations only protect their applications from the perimeter. Solutions that sit inside the application must be implemented to ensure security happens at the same speed as development.

Zaid Al Hamami is Co-Founder and CEO at IMMUNIO.

Share this

Industry News

May 16, 2022

Red Hat announced new capabilities and enhancements across its portfolio of open hybrid cloud solutions aimed at accelerating enterprise adoption of edge compute architectures through the Red Hat Edge initiative.

May 16, 2022

D2iQ announced a partnership with GitLab.

May 16, 2022

Kasten by Veeam announced the new Kasten by Veeam K10 V5.0 Kubernetes data management platform.

May 12, 2022

Red Hat introduced Red Hat Enterprise Linux 9, the Linux operating system designed to drive more consistent innovation across the open hybrid cloud, from bare metal servers to cloud providers and the farthest edge of enterprise networks.

May 12, 2022

Couchbase announced version 7.1 of Couchbase Server.

May 12, 2022

Copado added Copado Robotic Testing to Copado Essentials.

May 11, 2022

Red Hat announced new advancements within its Red Hat Cloud Services portfolio, delivering a fully-managed and streamlined user experience as organizations build, deploy, manage and scale cloud-native applications across hybrid environments.

May 11, 2022

JFrog introduced a new Docker Desktop Extension for JFrog Xray that allows organizations to automatically scan Docker Containers for vulnerabilities and violations early in the development process.

May 11, 2022

Progress announced a series of updates in Progress Telerik and Progress Kendo UI.

May 11, 2022

Vultr announces that Vultr Kubernetes Engine (VKE) is generally available.

May 10, 2022

Docker announced new features and partnerships to increase developer productivity. Specifically, the company announced Docker Extensions which allow developers to discover and add complementary development tools to Docker Desktop.

May 10, 2022

Red Hat announced the general availability of Red Hat Ansible Automation Platform on Microsoft Azure, pairing hybrid cloud automation with the convenience and support of a managed offering.

May 10, 2022

The Fedora Project, a community-driven open source collaboration sponsored by Red Hat, announced the general availability of Fedora Linux 36, the latest version of the fully open source Fedora operating system.

May 10, 2022

Progress announced the release of Progress Chef Cloud Security, extending DevSecOps with compliance support for native cloud assets and enabling end-to-end management of all on premise, cloud and native cloud resources.

May 10, 2022

Platform9 announced new platform capabilities in Platform9 5.5 that make it easier for cloud-native development and operations teams to build, scale, and operate apps and Kubernetes clusters in the cloud, on-premises, and at the edge.