Web applications are the most common attack vector often used for penetrating into organizations network, because websites are complex and developed by those who has little knowledge on Application security. So, what will safeguard organizations as well as provide flexibility for application developers? Many in the industry would suggest the implementation of Web Application Firewall (WAF),
WAF is a filtering technique which is placed in front of the web application to intercept the incoming traffic for identifying attack pattern and prevent them from reaching the application.
The Gartner research team states:
“Infrastructure and perimeter protection technologies inherently lack insight into application logic and configuration, event and data flow, executed instructions and data processing. Thus, they lack the necessary means to ensure accurate detection of application vulnerabilities and protection against application-level attacks.” – Gartner Maverick Research
Hence Implementation of WAF alone is not sufficient to secure application from sophisticated runtime attacks; if WAF is bypassed application becomes defenseless.
“Apps must be capable of security self-testing, self-diagnostics and self-protection. It should be a CISO top priority.” – Gartner Maverick Research
With this approach, comes the idea of new security technique; Runtime Application Self-Protection (RASP)
What is RASP?
RASP is a security technique that is built in an application to detect and prevent real-time application attacks.
When application is running on server, RASP can protect it from malicious input/behavior by analyzing both applications behavior and context of the behavior. By using the app to continuously monitor its own behavior, RASP prevents attacks by “self-protecting” or reconfiguring automatically without human intervention in response to certain conditions (threats, faults, etc.)
RASP provides some advantages like:
- Remediation and mitigation of vulnerabilities
- Full contextual awareness for complete accuracy
- Completely in process - no APIs, no table looks ups etc.
- No prior application knowledge required
- No code changes or external devices required
How RASP works?
RASP integrates security into a running application where it resides on the server, then intercepts all calls flowing into system to ensure they’re secure and validates data requests directly from inside the app.
RASP can protect both web and non-web applications and this technology don’t affect the design of the web application as the detection and prevention features will operate from the web server application is hosted.
When RASP will act?
When predefined security conditions are detected, RASP takes control of the application to implement the necessary prevention measures like terminating user session, stopping an application execution, altering the user or security person.
Example: Stopping the execution of queries to access a database (which appears like a SQL injection attack).
This technology can be implemented in two modes:
Diagnostic mode: Sound an alarm regarding an attack to the security person.
Self-Protection mode: Stops the execution of the potentially malicious program.
WAF vs RASP -
Finally like all other technology RASP also has few disadvantages, one factor is the need to protect each application individually and another factor is the potential performance degradation when self-protecting mode is in use.
Conclusion- With RASP technology, we are not building a secure application instead protecting the code with a defensive shield. RASP should not be the only solution for securing application because RASP solutions can’t protect from all classes of vulnerabilities, hence it should be used along with other approaches like Application security testing to secure applications.
Authored by Rajesh Rao
TCS Enterprise Security and Risk Management