Protect against Log4J without patching
Learn More
Protect against Log4J without patching
Learn More

UncategorizedNIST SP 800-53 Revision 5 Released | NIST Application Security


September 24, 2020 Timothy Chiu, VP of Marketing
NIST SP 800-53 Revision 5 Released – Next Generation Security and Privacy Controls


We wrote earlier this year about the NIST (National Institute of Standards Technologies) draft revision 5 of the SP 800-53 and the inclusion of both RASP and IAST as requirements for the Application Security Framework. Draft 5 of SP 800-53 closed its comment period back in May, and was just released as SP 800-53 Revision 5 on September 23, 2020 in its final form.

As indicated by the abstract, “this publication provides security and privacy control baselines for the Federal Government.” In addition it’s estimated anywhere from 30 to 50 percent of enterprises also use this framework for their security architecture. NIST calls this an historic update to its security and privacy controls catalog.

In the final version of SP 800-53 revision 5,  there are the 2 new inclusions for RASP and IAST that have found a home in the NIST standard:

  • SI-7(17), which addresses a need for Runtime Application Self-Protection (RASP)
  • SA-11(9), including a requirement for Interactive Application Security Testing (IAST)

These are the 2 updates which give a new boost to the importance of application security. The new updates include references to the inclusion and need for interactive application security testing (IAST) and runtime application self-protection (RASP) tools.

With these updates, application security gets new focus as part of the mainstream NIST framework and should help developers catch security flaws before an application is launched.

If you’re wondering how this new framework might affect you or your organization, here’s a recommendation from a recent article in the National Law Review:

Putting it Into Practice: Federal contractors should pay close attention to these guidelines as these new security and privacy baselines will be applied to any federal information system used or operated by a contractor on behalf of an agency, or another organization on behalf of an agency. Companies in the private sector should pay attention as well, as NIST guidance is often used as a basis for industry standards in security and privacy.

If you’re not familiar with RASP, K2 published a blog recently titled “What is RASP? and Why Should You Care?,”  where you can find detailed information how RASP can enhance your application security framework.  We haven’t tackled the topic of IAST in this particular blog article, but look for one coming soon as part of K2’s educational blog series.

RASP solutions like the one from K2 Cyber Security offer significant application protection while at the same time using minimal resources and adding negligible latency to an application.   K2 Security Platform uses runtime deterministic security to monitor the application and has a deep understanding of the application’s control flows, DNA and execution.  By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack.  Deterministic security results in the detection of sophisticated zero day attacks and also protects from application from the risks listed in the OWASP Top Ten, including XSS and SQL Injection.

K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security in an easy to use, easy to deploy solution.  K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application.  To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.

Change how you develop and protect your applications.

Find out more about K2 today by requesting a demo, or get your free trial.



Share this

Leave a Reply

Your email address will not be published. Required fields are marked *


K2 Cyber Security delivers the Next Generation Application Security Platform to secure web applications and container workloads against sophisticated attacks in OWASP Top 10 and provides exploitable vulnerability detection during pre-production. K2’s Platform is deployed on production servers for runtime protection of applications and on pen-testing/pre-production/QA servers for interactive application security testing to identify the location of the vulnerable code. K2’s solution generates almost no false positives, eliminates breaches due to zero-day attacks, detects attacks missed by traditional security tools like Web Application Firewalls and host based EDR, finds missed exploitable vulnerabilities and dramatically reduces security cost. K2 Cyber Security is headquartered in the USA and provides cyber security solutions globally.


K2 Cyber Security, Inc.

2580 N. First Street, #130

San Jose, CA 95131