RASP had gotten a bad rap from tech companies over the past few years, and I can understand why. We've seen RASP vendors claim to be the answer to all of our app security problems, but then the tech turns out to be too risky in production, still too much work to implement and manage, or too much of a cultural change for traditional, siloed organizations. While these are all valid concerns, they are the challenges of the past. With the way the RASP market is evolving it's time to take a second look.
In this start-up world of 'move fast and break things', here are 3 reasons runtime application self-protection is here to stay.
1. Apps in Production are vulnerable
No one wants to admit that the code they push to prod isn't secure, but that's the harsh reality. Truth is that no matter how rigorous the testing process is, the only code you own is just the business logic. Dev is pressured to get the build out faster, so they aren't going to start from scratch. They use open source code and modify it. So let's say a new exploit is listed and you need to push a patch. How long is that going to take you? A day? Week? Month? 6 months? The point is that yes, your code is secure when you push it, but that's only until someone figures out the latest exploit. Enter RASP. The simplest solution is to be able to see what CVEs exist in each app and block attacks while the patch update is in progress.
And what about that backdoor a previous admin created so he can log in from home? Having a RASP tool on your applications will populate all the API end points and routes that were made or forgotten about.
2. Secure Development resources are slim
If you've noticed a shortage of security talent, you're not alone. Even more coveted is the illustrious developer that is educated in security. Regardless, great talent on both the security and development side are limited. In the report, IT Hiring Forecast, First Half of 2018 by Robert Half, 61% of CIOs said it was very challenging to hire skilled IT professionals and, not surprisingly, maintaining security systems and data protection was their top concern. What that means is that your security tools need to help you bridge skills gap and set the foundation of a collaborative culture. By being able to put RASP in both pre-prod and prod, you can take real-life attack scenarios back to your team to solve security issues together.
From an operational standpoint, your teams are already managing a lot of tools and processes that weigh down productivity and can contribute to a lack of operational discipline. So, being able to consolidate tools and workload wherever possible is absolutely critical. RASP has that advantage with its "precision application protection." Because RASP instruments in the app at runtime, it has visibility into the application's behavior. Instead of looking at signatures and patterns based on commonly known attacks, you are able to look for suspicious actions in the application to completely eliminate false-positives - taking away the need to staff a full time admin to manage it. RASP will only tell you when something absolutely needs your attention.
Speaking of things that need attention, that brings me to RASP protections...
3. zero-day protection. nuff said
Web app firewalls are great at detecting the basic attacks (XSS, SQLi, ect.,) and DDoS prevention, but without a RASP, you're still vulnerable to the OS level attacks that are found in zero-day attacks. For example, RASP will detect and stop code injection attempts that had gotten past organizational defenses. Zero-day attacks are the most dangerous because they are extremely difficult to detect with out proper application layer defenses. Some breaches can go undetected for months or years causing catastrophic harm to the company. It's increasingly difficult for larger companies to manage application security on the OS level. RASP allows for an easy, manageable way to get security controls over all aspects of the application.
With all the advancements in security and tech, it's easy not to pay attention to some of the trends, but RASP security is worth paying attention to. If your company is moving to devops, continuous delivery, or microservices, you'll need to adopt security solutions that give you advanced protections, help you align teams and consolidate processes and tools, and protect your critical public applications. We're helping tech companies accomplish those goals with our next gen cloud WAF that leverages our unique RASP technology. If you'd like to learn more, about RASP vendors check out the The Forrester New Wave™: Runtime Application Self-Protection, Q1 2018