One of the hopeful appsec solutions to emerge in the past decade is runtime application self-protection (RASP). This year RASP earned a spot on NIST's list of critical controls in the latest revision of NIST special publication 800-53. Here's what you need to know about RASP, including what it does, why it matters, and where it falls short.
What Is RASP?
As defined by Gartner, RASP is "a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks." The concept was first introduced into the cybersecurity lexicon by former Gartner vice president, fellow, and lead appsec analyst, Joseph Feiman – currently chief strategy officer at WhiteHat Security – in a 2012 research note.
Whereas a web application firewall (WAF) will prevent attackers from reaching vulnerable applications behind the firewall, the idea behind RASP is that it enables applications to protect themselves against attacks in real time.
How Does It Work?
While that is the goal, today's RASP technology doesn't exactly turn applications into martial arts experts who have mastered self-defense.
RASP deploys agents to sit near the application so it has the ability to take control if and when a security event occurs. The technology watches and analyzes the application, and the data coming in, as the application runs. An application running RASP would, in theory, be able to identify a SQL injection or cross-site scripting (XSS) attack and prevent the threat from reaching its target.
Hurdles in the RASP Race
While the vision of RASP is "ideal," Feiman tells Dark Reading, it has not evolved enough to continue existing as a standalone technology. As a result, it has had minimal enterprise adoption. The reason for that is four-fold, he says.
First, RASP requires instrumentation, which has the potential to unintentionally bring down an application. "People hate seeing agents in their runtime," Feiman notes.
Second, RASP is held up by language dependency. "Every agent is dependent on the language the application is written in," he explains. With dozens of application languages, and frameworks within those languages, it's hard for RASP agents to keep up.
A third problem is CPU consumption. Agents consume the same amount of CPU as the application, thus slowing things down.
Last, RASP can accidentally prevent benign access that it misinterprets as a malicious attack.
All together, these issues have hindered RASP adoption, Feiman says.
JB Aviat, CTO of application security vendor Sqreen, echoed some of these thoughts.
"It's fair to say that these challenges created a lot of 'scarring' with respect to RASP approaches that live to this day. However, we believe that these frustrations were the result of the poor execution of RASP approaches, rather than with the concept of RASP itself," he said, noting that Sqreen's RASP solves these issues through "modern approaches."
"I think most security practitioners are aligned with the vision that RASP should only detect and block actual successful exploits to solve for high false-positive rates and should work across languages without any significant performance or deployment issues," said Aviat.
The Future of RASP
Feiman says solutions like RASP and WAF have emerged from "desperation" to protect application data but are insufficient. The market needs a technology that is focused on detection rather than prevention. Indeed, in an effort to address the problems with RASP, he and his team at WhiteHat are in the process of beta testing an application security technology that performs app testing without instrumentation.
As far as existing RASP technologies go, it's unlikely they'll stick around in their current form.
Rather than an independent technology, Feiman believes RASP will ultimately get absorbed into application runtime platforms like the Amazon AWS and Microsoft Azure cloud platforms. This could happen through a combination of acquisitions and companies like AWS building their own lightweight RASP capabilities into their technologies.
"The idea will stay, the market hardly will," says Feiman.
On that, Sqreen's Aviat disagrees, saying RASP is "indeed a standalone technology."
"I expect RASP to become a crucial element of any application security strategy, just like WAF or SCA is today – in fact, RASP is already referenced by NIST as critical to lowering your application security risk," he said. "RASP will only get easier to deploy, its security coverage will increase and cover most generic vulnerabilities in a much more efficient way."