Building a secure application involves many aspects, and one of these aspects is when the application is serving its purpose, it is available to the user. We need to maintain the security of an application already in production. At this point, a very interesting concept comes into context: have you ever heard of RASP – Runtime Application Self-Protection? If you haven’t heard about it or if you’d like to learn more about it, keep reading this article.
Let’s start from the beginning.
You can also listen to this article:
What is RASP?
Gartner defines RASP as “a security technology that is built on or linked into an application runtime environment, and is capable of controlling application execution, and detecting and preventing real-time attacks.”
Now that we understand what RASP is, let’s approach how it works.
How does RASP technology work?
This technology works through an agent integrated into the application, and this agent seeks to maintain and observe control over the application’s behavior, which allows it to take some immediate actions, without waiting for this behavior to “fit” into a signature, which normally happens with reactive tools.
The fact that this technology acts within the application, leads to the matter that it would be possible to give up the other testing tools and leave only the RASP acting to protect the application, right? No, the truth is that we cannot.
RASP can be one of the layers of protection that an application must have in order to seek the highest degree of security, and should not be understood as a definitive solution that can replace the others. She is complementary.
We have to remember that some types of problems are only detected by manual tests, such as business logic. This demonstrates that we cannot in any way understand any product or technology as “silver bullet” solutions. We have to understand and enjoy the best that each one can offer us.
Likewise, weaknesses and vulnerabilities cannot be patched directly during the execution process.
What are the differences between RASP and IAST?
RASP and IAST are similar technologies as they both work on the web server and are linked directly to the application. In the case of RASP, this is a technology optimized to run in production environments, so it can produce less impacts during a normal application usage process.
But they basically differ in their objective, as the IAST runs a series of tests and when its test is finished it informs the vulnerabilities that have been identified. RASP does not run a scan to look for vulnerabilities, it runs in the background observing the behavior of the application, looking for anomalies in both behavior and traffic.
In general, we have two RASP execution models. The first execution mode is called Diagnostic Mode, and as soon as an attack is detected it issues alerts, without acting to block the attack, in addition to generating an alert, it sends the alert information about the vulnerability to a dashboard.
The second mode is called the Self-Protection Model, and in this mode there is a more reactive action, causing the RASP to stop the request performing the action when detecting an action that can damage the application.
Similarities and differences between Rasp and WAF
Another point that can come up when we address RASP is: does it look like a WAF solution or not?
The answer is: WAF solutions are actually different technologies. They are applications that are not directly linked to the application, and serve more as an intermediary tool between the application and user access, seeking to identify action patterns to avoid a problem on the application side.
Thats not the moment to address WAF in detail, but I would love to have your comments and thoughts on this technology, as well as about its similarities and differences with WAF, for example. How about leaving a comment?