We wrote earlier this year about the NIST (National Institute of Standards Technologies) draft revision 5 of the SP 800-53 and the inclusion of both RASP and IAST as requirements for the Application Security Framework. Draft 5 of SP 800-53 closed its comment period back in May, and was just released as SP 800-53 Revision 5 on September 23, 2020 in its final form.
As indicated by the abstract, “this publication provides security and privacy control baselines for the Federal Government.” In addition it’s estimated anywhere from 30 to 50 percent of enterprises also use this framework for their security architecture. NIST calls this an historic update to its security and privacy controls catalog.
In the final version of SP 800-53 revision 5, there are the 2 new inclusions for RASP and IAST that have found a home in the NIST standard:
- SI-7(17), which addresses a need for Runtime Application Self-Protection (RASP)
- SA-11(9), including a requirement for Interactive Application Security Testing (IAST)
These are the 2 updates which give a new boost to the importance of application security. The new updates include references to the inclusion and need for interactive application security testing (IAST) and runtime application self-protection (RASP) tools.
With these updates, application security gets new focus as part of the mainstream NIST framework and should help developers catch security flaws before an application is launched.
If you’re wondering how this new framework might affect you or your organization, here’s a recommendation from a recent article in the National Law Review:
Putting it Into Practice: Federal contractors should pay close attention to these guidelines as these new security and privacy baselines will be applied to any federal information system used or operated by a contractor on behalf of an agency, or another organization on behalf of an agency. Companies in the private sector should pay attention as well, as NIST guidance is often used as a basis for industry standards in security and privacy.
If you’re not familiar with RASP, K2 published a blog recently titled “What is RASP? and Why Should You Care?,” where you can find detailed information how RASP can enhance your application security framework. We haven’t tackled the topic of IAST in this particular blog article, but look for one coming soon as part of K2’s educational blog series.
RASP solutions like the one from K2 Cyber Security offer significant application protection while at the same time using minimal resources and adding negligible latency to an application. K2 Security Platform uses runtime deterministic security to monitor the application and has a deep understanding of the application’s control flows, DNA and execution. By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack. Deterministic security results in the detection of sophisticated zero day attacks and also protects from application from the risks listed in the OWASP Top Ten, including XSS and SQL Injection.
K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security in an easy to use, easy to deploy solution. K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application. To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.
Change how you develop and protect your applications.