Runtime application self-protection, or RASP, is a technology created to improve the security of software applications...
through the monitoring of running applications inputs. RASP can block those inputs that could otherwise allow attacks to proceed and protects other aspects of the application's runtime environment from unwanted changes, tampering or access.
In its IT Glossary, Gartner defines runtime application self-protection as "a security technology built or linked into an application runtime environment [that] … is capable of controlling execution and detecting and preventing real-time attacks." With an increasing number of security companies providing RASP add-ins for well-known runtime environments, such as the Java Virtual Machine Specification and the .NET Common Language Runtime, developers are trending toward buying RASP technologies from qualified third parties rather than creating their own.
How does RASP work?
Runtime application self-protection adds security checks into running applications on the server, where they typically reside and run. RASP intercepts calls to the application to check their security. It permits safe calls to proceed but blocks calls that are or appear to be unsafe. RASP implementations also instrument applications throughout to make the inputs and actions they block both accurate and secure. This approach maximizes true positives (blocking genuinely malicious or insecure items) while minimizing false positives (blocking items that may appear malicious or insecure, but are actually benign). Thus, RASP provides validation for data requests and inputs directly into those applications where it's part of the runtime environment.
Best of all, RASP works for web and non-web applications, and it doesn't affect application design. Instead, RASP adds detection and protection capabilities to the servers where applications operate. RASP also tends to be extremely accurate because it sees the overall application context and is not limited to a packet-at-a-time view as is the case for application firewalls.
RASP includes a variety of protection measures that it can impose when it detects potentially malicious inputs or attempted actions as defined by security conditions in its implementation. These include responses such as the following, which are in increasing order of severity:
- Warnings sent to offending users with denial of the offending input
- Alerts sent to designated recipients, which are usually system admins or security professionals
- User session termination
- Application termination, which has no impact on other applications or services running on a server
RASP is usually implemented as a framework or runtime module that integrates with program code and associated libraries and system calls. That's why RASP can protect vulnerable parts of an application from within -- or alongside -- the application in real time. When users enter information into an application, they end up making function calls or invoking methods with input that might cause harm to the application or produce unwanted or insecure behaviors. Runtime application self-protection intercepts such calls in real time and can log or block suspect calls as the configuration settings dictate.
RASP pros and cons
RASP provides an unparalleled degree of application self-protection and security given that RASP configuration information is independent of the applications it protects and can be continuously updated or modified to keep up with current threats and vulnerabilities. RASP doesn't need to understand or patch existing or suspected vulnerabilities in application code, nor does it need to locate and identify such things. RASP provides a virtual patch against vulnerability by blocking malicious or suspect inputs and preventing applications from producing unwanted or unsafe outputs or behaviors. RASP also handles all common application protocols, including Ajax, extensible markup language, HTTP, HTTPS, JSON, REST and Simple Object Access Protocol, and various forms of remoting with equal facility.
Using runtime application self-protection involves licensing costs for using third-party add-ins. It also involves recurring costs to keep the RASP configuration up to date, ready to deal with current threats and vulnerabilities. Prospective buyers can learn more about RASP product offerings and related costs in part two of this series.
An early assessment of RASP pros and cons
All about building a software security team
Seven software security myths debunked