Understanding RASP, and Putting It to Work
Published May 13, 2021
RASP is an initialism for runtime application self-protection. It’s a technology designed to boost application software security by monitoring inputs to running applications. RASP screens all such inputs, and blocks those that could be associated with potential attacks. RASP also protects various aspects of an applications runtime environment, and prevents changes to environment variables, access controls and privileges, and so forth.
Gartner’s IT Glossary defines RASP as follows: “a security technology that is built or linked into an application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks.” Numerous security companies offer RASP add-ins for widely used runtime environments, such as the Java Virtual Machine Specification and the .NET Common Language Runtimeli. In fact, developers generally choose to buy RASP tools from such third parties instead of building their own implementations.
Putting RASP to Work
When integrated into an application’s run-time, RASP incorporates security checks into supporting server environments. That is, RASP intercepts inputs sent to the application for screening, and either allows acceptable inputs or denies questionable or malicious inputs to actually reach the application. RASP also includes built-in logging and monitoring facilities so it can keep track of what it’s doing, and make sure its actions are appropriate and secure.
RASP implementations seek to maximize valid interceptions (by preventing malicious or insecure inputs from obtaining application access). At the same time, RASP monitoring — and related updates from its makers — also seeks to avoid invalid interceptions (preventing legal and benign inputs from accessing the application). Ultimately, it makes sense to understand RASP as a validation tool for inputs and data requests made to applications inside their runtime environments.
RASP Is An All-Purpose Technology
Because it’s a plug-in that works with a range of runtime environments, RASP can handle both web-based and traditional (standalone executable-based) applications. Once present, RASP brings protection and detection capabilities to servers where targeted applications run. In addition, because RASP sees the overall application state and context, it does not work at the packet level as do application firewalls. RASP generally has a nuanced and informed view of application and input states across current ongoing interactions.
A stateful view of application inputs gives RASP more scope and flexibility for protection. It can exhibit a variety of behaviors as it detects unwanted actions or malicious inputs that match security rules or policies in its knowledge base. An example of such behaviors, ordered by increasing order of severity, can include:
- Denial of offending input, with a warning message to the sending user
- Issue alerts for named recipients when offending inputs occur (usually administrators or security team members)
- Terminate user session upon offending input
- Terminate application upon offending input (does not otherwise impact the host server, and other services or applications)
RASP implementations generally plug into existing server frameworks and runtime modules. Thus, they integrate with a program’s code, associated libraries and API calls. Such integration is what gives RASP the ability to handle inputs in real-time as an application is executing. As users provide inputs to a RASP-protected application, RASP intercepts those inputs and screens them before passing them along to the application (or blocking them, if they trigger detection rules or heuristics).
RASP Benefits and Disadvantages
As its name is meant to assert, RASP delivers application self-protection and security. RASP rules and heuristics are independent from any applications it screens. They may be continuously modified or updated to track current threat and vulnerability intelligence. With RASP in play, developers may not need to patch or work around an application’s vulnerabilities. RASP itself doesn’t even need to take cognizance of such things. Instead, RASP provides filtering that acts as a virtual patch against threats and vulnerabilities. By blocking invalid, malicious, or suspicious inputs, RASP prevents applications from fielding those inputs. A direct consequence of such prevention is that RASP thereby stops the application from producing unwanted, unsafe, or malicious outputs.
RASP works with most widely-used application protocols and frameworks, including Ajax, JSON, XML, HTTP, HTTPs, REST and SOAP. It can also handle well-known remote access protocols (e.g. RDP) as well. As you might expect, using RASP generally incurs licensing costs from its maker. Most such licenses also include subscription costs for keeping RASP rules and heuristics current, ready to handle trending and current threats and vulnerabilities based on periodic intelligence intake.
It may also be interesting for you DAST, SAST, IAST and SCA: Which security technology is best for me?
Would you like to know more about implementing secure application development solution in your company? Get in touch with our Kiuwan team! We love to talk about security.