RASP: Going from "Security Bolted On" to "Security from Within"
October 17, 2016

Zaid Al Hamami

DevOps teams today churn out releases at a rapid pace, and securing these applications is more challenging than ever. Code is continuously changing, and developers must identify and fix security bugs as quickly as possible. Developers need effective tools to help reduce the risk of data breaches while the software development and release machinery is getting faster.

Generally this means a combination of static analysis, pen testing and web application firewalls – all technologies that require deep expertise to manage, need heavy customization on a constant basis, and slow down continuous release. These activities are time consuming and require niche expertise that few DevOps teams have.

At the same time, attackers are developing new strategies, and application vulnerabilities arising from legacy code are on the rise. A new report from research firm Securosis reveals that when it comes to security, DevOps teams are searching for better solutions. The report explores how an emerging technology, Runtime Application Self-Protection (RASP), provides a simpler and more effective alternative to legacy web application security tools.

The report, Understanding and Selecting Runtime Application Security and Protection, explores how DevOps teams currently address application security issues, examining the shortcomings of the current approach. Securosis notes that DevOps teams are increasingly charged with managing security and are now actively involved in selecting web application security solutions. They’re searching for automated solutions that mesh with continuous integration and continuous deployment methods, and integrate well with existing developer tools.

Moving from “Security Bolted On” to “Security from Within”

RASP solutions work by examining requests at the application layer to detect attacks and misuse in real time. They fit well into the agile development process because they’re flexible and fast. Furthermore, RASP works inside the application, meaning it can go wherever the application goes. As Securosis highlights, RASP offers a distinct blend of capabilities and usability options, making it stand out from traditional web application security solutions. With RASP, the concept of web application security evolves from "security bolted on" to "security from within."

RASP: Protecting Web Apps Before Vulnerabilities are Exploited

It's no secret that applications are vulnerable to attacks. Applications are often tested before launch, then left unsupported, which leaves the door open to security breaches. Traditional solutions such as WAFs and static testing are insufficient for today's agile development and DevOps automation environments, especially with new classes of vulnerabilities constantly emerging. The function of RASP is, as the report explains, to protect web applications before these vulnerabilities can be exploited.

Most RASP products will offer protection against the common vulnerabilities of SQL injection, Cross Site Scripting, and Remote Command Execution. Some RASP products are also particularly effective in addressing Account Takeover (ATO) attacks. ATO attacks, in which hackers access user account credentials, are the most common cyber attack vector today. In these attacks, hackers obtain session or password information, then sell these credentials for profit or use them to further penetrate corporate networks and commit fraud.

Addressing the Complex Account Takeover Threat

There are a multitude of ways in which Account Takeovers happen, from attackers guessing credentials using credential information leaked off other sites, bruteforcing passwords or session IDs, or even tried-and-true cross-site scripting (XSS). To truly reduce the risk of account takeovers, organizations need a solution that addresses the multitude of ways in which such attacks occur. RASP is positioned to address these risks: every time a user logs in, the RASP knows if their login behavior matches their normal behavior. It knows if one user is generating an abnormal number of sessions, for example. Because it can operate at the user level (instead of at the IP address layer, like most network firewall devices). It can then take protective actions, such as serving captchas or blocking just that one user account.

The move to real-time web application protection provides major advantages to developers and security engineers. The challenge becomes how to integrate innovative new technologies into the security mix, ensuring all the pieces are in place from pre-launch to post-launch. RASP solutions are simple to install and work effectively alongside other security tools including static testing and WAFs.

As attackers become more sophisticated, protection plans must too. No longer can organizations only protect their applications from the perimeter. Solutions that sit inside the application must be implemented to ensure security happens at the same speed as development.

Zaid Al Hamami is Co-Founder and CEO at IMMUNIO.

Share this

Industry News

September 20, 2023

Oracle announced new application development capabilities to enable developers to rapidly build and deploy applications on Oracle Cloud Infrastructure (OCI).

September 20, 2023

Sonar announced zero-configuration, automatic analysis for programming languages C and C++ within SonarCloud.

September 20, 2023

DataStax announced a new JSON API for Astra DB – the database-as-a-service built on the open source Apache Cassandra® – delivering on one of the most highly requested user features, and providing a seamless experience for Javascript developers building AI applications.

September 19, 2023

Oracle announced the availability of Java 21.

September 19, 2023

Mirantis launched Lens AppIQ, available directly in Lens Desktop and as (Software as a Service) SaaS.

September 19, 2023

Buildkite announced the company has entered into a definitive agreement to acquire Packagecloud, a cloud-based software package management platform, in an all stock deal.

September 19, 2023

CrowdStrike has agreed to acquire Bionic, a provider of Application Security Posture Management (ASPM).

September 18, 2023

Perforce Software announces BlazeMeter's Test Data Pro, the latest addition to its continuous testing platform.

September 18, 2023

CloudBees announced a new cloud native DevSecOps platform that places platform engineers and developer experience front and center.

September 18, 2023

Akuity announced a new open source tool, Kargo, to implement change promotions across many application life cycle stages using GitOps principles.

September 14, 2023

CloudBees announced significant performance and scalability breakthroughs for Jenkins® with new updates to its CloudBees Continuous Integration (CI) software.

September 14, 2023

JFrog unveiled new capabilities that set the standard for quality, security, MLOps and integrity of software releases.

September 14, 2023

Enea launched the Enea Qosmos Threat Detection SDK.

September 13, 2023

Check Point® Software Technologies Ltd. announced the completion of its acquisition of Perimeter 81, a pioneering Security Service Edge (SSE) company, with a team of over 200 employees that serves more than 3,000 customers worldwide.