Application security has emerged, evolved, matured and adopted at the programming and testing phases of application lifecycle, not at its operation phase. Technologies for application protection at the operation phase have been adopted at lesser degree and even then they are only adopted with some stipulation.

This can be explained. Adopting application assessment/vulnerability detection technologies is less risky than adopting application protection technologies.

Technologies such as static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA) serve as a good example of assessment technologies. They analyze application source, byte, or binary during the time of assessment or they analyze the presence of 3rd party components in the application. Based on that analysis, application development and security specialists can take remediation actions, such as fixing vulnerabilities in the application code. These actions only impact non-production applications, thus typically posing little to no risk to the usability of the applications.

Adopting protection technologies that act during the production phase is a much riskier proposition, as doing so can break production applications’ execution, causing an outage or malfunction. Thus, adoption of those technologies has lagged behind detection/testing technologies, and market has tolerated it until recently, when the situation in security has changed. 

Over the last several years, the vector and nature of attacks have transformed. The application layer has increasingly become the main target of attacks. Recent attacks seek to exploit weaknesses in applications to gain unauthorized access to money, data, and possibly control over (such as power grid or water supply systems). These attacks have also become more targeted, and are often supported by governments or terrorist organizations.

The change of the situation rings alarm, and causes demand for real-time, zero-latency technologies capable of detecting attacks that target running applications and protecting against those attacks.

For many years, the IT industry substituted a specialized application protection technology with network-based security technologies, mainly with web application firewalls (WAFs). Yet, they have not been broadly adopted, nor are they effective at protecting against application attacks.  Those technologies, are network traffic analyzers and as such see applications as black boxes. They do not have insight into applications’ logic flows, database access, data processing or configurations. Due to these deficiencies, they cannot distinguish (with the necessary degree of assurance) between an attack and legitimate access, making them ineffective for true real-time protection. Relying solely upon them is often too risky.

The deficiencies in network-based protection technologies cannot be overcome. A new approach, a new technology is required. That technology – runtime application self-protection (RASP) – has just emerged.

Only RASP is designed to work at the production phase, with an in-production application. RASP becomes an integral part of the runtime environment, therefore it offers a uniquely deep insight into application logic as well as data flow and thus, with unique accuracy, can detect attacks and protect against them. With this new technology we will see a transformation in the way enterprises protect their applications.

About Joseph Feiman

Joseph Feiman is Chief Innovation Officer at Veracode. In this role, Joseph is responsible for advanced technologies that drive innovative detection and protection strategies. Joseph is a recognized industry leader with nearly two decades’ experience in application development and security, analyzing the market for Gartner Research.

Comments (2)

Mark Hausammann | February 1, 2016 1:29 pm

The innovation you state here needs to also be aligned with existing or new Information Security policies and standards. The idea that the production application code which both detects and protects itself makes my antenna go up. For years, especially with the outsourcing of development, static code reviews and even desk checking not just for functionality but spurious code, back doors and all manner of malicious functions or human errors has, based on current standards, provided a modicum of accountability (we could name the person responsible) to the application owners. When the application fixes itself (in production) that level of accountability goes away.

Jari Salomaa | March 21, 2016 7:00 pm

Good blog post! Producing software comes with inherent risk and despite all the testing, it is never quite complete and that's why I share strongly this similar vision. Real time security is the next big thing as computers, networks, mobile devices and applications running in them become more adaptive for risk and conditional access and we're working towards smart adaptive security policies and improved user experience without compromising security. By the way Joseph, this is also the solution I'm building right now at Salesforce: Transaction Security. Hope all is well with you.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.