Runtime Application Self-Protection or RASP was first introduced in 2012 as a security category by Gartner, but didn’t gain attention until 2014, during the Gartner Security and Risk Management Summit. The product category RASP describes products that run directly on the server and protects the applications that are running on the same server. RASP is typically a subcategory of the broader category known as Application Security.
If you’re not familiar with RASP, it’s not a new concept. A RASP solution sits on same server as the application, and provides continuous security for the application during runtime to protect vulnerabilities in the application from being exploited by attacks. By residing on the server, a RASP solution has complete visibility into the application, can analyze the application’s execution for better validation, and can understand the context of the application’s interactions. RASP solutions benefit by being close to the application in a way that network perimeter security solutions can not.
You may be wondering why RASP solutions have not gained more popularity, if they have been available since 2014 or earlier. As with any new technology RASP has had some early teething problems. The earliest RASP solutions were high impact, using a considerable amount of CPU and memory, and added substantial latency to an application, making it difficult to deploy and use them for a mission critical application. In addition early RASP solutions used security technologies that were prone to false positives, which with any security technology cause significant headaches for the security analyst. RASP solutions have improved over time, and some of the latest RASP solutions, implement security technologies that are more efficient and are more effective at zero day attack detection.
There are a number of features in addition to zero day attack detection and protection that RASP solutions have evolved to solve. The list of features required for application security for a typical RASP include:
- Protection for the OWASP Top 10 Web Application Security Risks
- Memory-based Attack Protection
- Zero Day Attack Protection
- Realtime Attack Blocking
If you’re not concerned about the OWASP Top 10, memory-based attacks, or true zero day protection, you should be.
The OWASP Top 10 remains a primary concern of application security even though the list has been around since 2003, and many of the items on the list have been on the list through all the revisions of the list through the current list published in 2019. Two types of vulnerabilities that have been on the OWASP Top 10 since its inception and still remain considerable concerns for organizations include Cross Site Scripting and SQL Injection.
Memory based attacks on the other hand is growing to become a significant concern, and the number of memory based attacks has been increasing over time to exceed malware based attacks. Zero day attacks have also been increasing over time, and remain one of the more difficult attacks to detect, resulting in the many breaches we continue to see in the news.
RASP solutions are ideally located to protect against these risks and attacks. By residing on the server, RASPs also serve as the last line of defense for these attacks.
RASP has also finally gotten much needed recognition as a required security layer in the latest NIST SP800-53 draft. The latest version, draft 5, closed for comments on May 29, and included a requirement for RASP. Section SI-7(17) (p.339) outlines Runtime Application Self-Protection (RASP) as a control to mitigate risk due to software security vulnerabilities.
Another reason RASP hasn’t been able to make as much headway as one would expect, is the mistaken belief that a Web Application Firewall (WAF) is providing the necessary security for applications. While WAFs have been around in their current form since around 2002, WAFs function as a network perimeter security solution and they have failed to meet the security needs around many of the issues that applications face in today’s threat landscape. With RASP’s code level visibility into the application and ability to analyze all the activity related to the application to accurately identify when attack occurs, RASPs can detect attacks where WAFs fail. Unlike WAFs which only see the traffic coming to and from the server, a RASP can see what’s happening inside the application, to determine if there’s inappropriate use of the application itself. RASP is really the first security category to offer self protection for the application.
RASP solutions like the one from K2 Cyber Security offer significant application protection while at the same time using minimal resources and adding negligible latency to an application. K2 Security Platform uses runtime deterministic security to monitor the application and has a deep understanding of the application’s control flows, DNA and execution. By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack. Deterministic security results in the detection of sophisticated zero day attacks and also protects from application from the risks listed in the OWASP Top Ten, including XSS and SQL Injection.
K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security in an easy to use, easy to deploy solution. K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application. To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.
Change how you develop and protect your applications.