Runtime Application Self-Protection (RASP)

What Is Runtime Application Self-Protection (RASP)?

Runtime application self-protection (RASP) is a security technology that is built into an application and can detect and then prevent real-time application attacks. RASP prevents attacks by “self-protecting” or reconfiguring automatically without human intervention in response to certain conditions (threats, faults, etc.). 

RASP comes into play when the application is executed (runtime), causing the program to monitor itself and detect malicious input and behavior.

By moving beyond security only at the perimeter of a network or an endpoint, RASP enables applications to defend themselves.

In real time, RASP analyzes both the application’s behavior and the context of the behavior. Thus, continuous security analysis is implemented, with the system responding immediately to any recognized attacks.

How Runtime Application Self-Protection (RASP) Works

Where RASP Lives

RASP basically embeds security into the running application where it resides on the server. It then intercepts all calls to the system to ensure they’re secure. Ultimately, RASP implants validation of data requests directly into the application.

RASP can be applied to Web and non-Web applications, and doesn't affect the application design. Rather, the detection and protection features are added to the servers an application runs on. 

Currently, RASP technology exists for Java virtual machine and .NET Common Language Runtime. Additional implementations are expected as the technology matures.

When RASP Acts

When specified security conditions are met, RASP gets control of the application and takes the necessary protection measures. An example of a condition that could trigger a response is execution of instructions that access a database (which might cause a SQL injection exploit).

The technology could either be in diagnostic mode and simply sound an alarm regarding an attack, or it could be in self-protection mode and stop a potentially malicious execution.

RASP’s protection measures include the following:

  • User session termination
  • Application termination (without affecting other applications on the server)
  • An alert sent to security personnel
  • A warning sent to the user

Firewalls vs. RASP

Like RASP, firewalls inspect traffic and content and make decisions to terminate sessions. However, unlike RASP, perimeter firewalls can’t see how traffic is being processed in applications. In addition, with mobile devices and cloud services proliferating, the perimeter is no longer clearly defined, making perimeter firewalls less effective.

Gartner’s Joseph Feinman likens firewalls to "a person who walks out of the house and into the city always surrounded by bodyguards because he has no muscles and no skills.” In other words, remove the firewall (or “bodyguard”), and the application is defenseless.

Advantages of Runtime Application Self-Protection (RASP)

RASP technology has a detailed view into the actions of the system, which can help improve security accuracy. For example, RASP has insight into application logic, configuration, and data and event flows, which means detecting and deterring attacks with high accuracy.

In addition, with self-protecting data, the protection remains with the data, from its creation to destruction and everything in between.

Finally, self-protecting data could potentially help an enterprise meet some regulatory requirements. If self-protected data is stolen, hackers still can’t read or use it. As a result, there may be no requirement to report the loss or theft of the data.

Disadvantages of Runtime Application Self-Protection (RASP)

One downside to RASP is that each application must be individually protected.

Another factor of RASP solutions to consider is the potential performance impact as an application executes its self-protection process. Depending on the approach taken, the dynamic nature of RASP can affect performance while protecting the application, potentially causing a performance degradation that would be apparent to the user. However, the extent of the performance impact is still to be determined as more enterprises deploy the approach.

Finally, with RASP, enterprises aren’t building a secure application, but rather adding a “shield” to the code, however flawed it might be. Because RASP solutions cannot protect against all classes of vulnerability, some security experts argue that it should not be used as the only solution for insecure software, but should be used in combination with other approaches to securing applications such as application security testing.