Agencies are under a lot of pressure to enforce application and data security. But there are hurdles.
Common protections, like intrusion prevention systems and web application firewalls, help to detect and block attacks at the network layer, but they cannot see what happens inside of an application. Without continuous adjustments to the intrusion prevention system or web application firewall, this lack of context can result in false positives that block legitimate user activity, or worse, false negatives that allow malicious users to gain access to sensitive data and systems.
Plus, software is complicated. Applications have many different layers that can introduce unknown risk. It’s common to use open source and third-party software libraries, which can contain security holes that hackers are aware of and know how to exploit. And developers are human; they make mistakes. Any of these situations can result in an application with vulnerabilities making its way into the production environment.
While there are a number of approaches to solving these challenges, runtime application self-protection, or RASP, is a particularly compelling approach.
Typically implemented as a software plugin, RASP closes the security gaps in applications that leave them vulnerable to attack at runtime (that is, when applications are running). Attacks, whether previously known or zero-day, can easily be stopped from within the application itself using a RASP plugin.
How does it exactly work?
As mentioned, RASP is a software plugin, which means it adds functionality to an app without requiring any changes to the source code. The process is pretty simple. A security lead creates an app configuration file, which is a simple text file that contains customizable security parameters and settings. The config file and RASP plugin are dropped into an application-build and the application is deployed as usual.
When an application runs, the plugin is activated. RASP inspects the data that flows through the app – both inputs and outputs – protecting the runtime environment from unintended use.
RASP is portable. It travels with the application regardless of where the application is deployed. Plus it’s scalable. RASP can scale up to meet the requirements of any app, because it essentially is the app. As the app scales, so does RASP.
Finally, RASP is an industry-vetted and mature technology that the National Institute of Standards and Technology has recently included in the Recommended Security Controls for Federal Information Systems and Organizations, as described in NIST Special Publication 800-53 and the related NIST Cybersecurity Framework.
Many large organizations have already successfully incorporated RASP into their environments. Take AARP for example. The member-based organization focused on interests related to the elderly already had a well-developed security program that included vulnerability management, incident detection and response and network defense. When looking at application protection products, it was important that the chosen solution would complement what was already in place and add value. It also needed some future-proofing in that AARP planned to transition to microservices down the road.
With RASP in place, one of the near-immediate benefits was a downgrade of the vulnerability backlog. With the backlog less critical, development teams had more time to fix vulnerabilities and come up with more innovative ways to deliver services to customers.