What is Runtime Application Self-Protection (RASP)?

Gui Alvarenga - May 12, 2022

Runtime Application Self-Protection (RASP) is a term coined by Gartner more than a decade ago to describe what was then an emerging technology that incorporated security functionality within software applications.

Unlike traditional security solutions, which offer protection at the network or endpoint level, RASP focuses on the application itself, using sensors embedded within the software, as well as contextual information, to monitor the application during runtime, address specific vulnerabilities that exist within each piece of software, and stop threats automatically and in real time.

Why is RASP important?

In recent years, apps have become an effective and lucrative attack vector for cybercriminals and hackers who can exploit vulnerabilities within the application, as well as human errors like misconfigurations or open ports.

While traditional network and infrastructure security measures such as a web application firewall (WAF) or intrusion prevention system (IPS) are often used to monitor network traffic and user sessions to identify suspicious activity, these tools do not monitor traffic and data within the application, leaving the organization vulnerable to application attacks.

RASP moves security inside the application, allowing the organization to gather real-time application data and evaluate it within the context of that application. Because the tool is specific to each app and its actual use, RASP delivers a level of accuracy and proactivity unmatched by legacy tools and solutions.

RASP and Cloud Security

RASP is an important component within the organization’s cloud security strategy, and for cloud application security in particular.

As companies increasingly leverage the cloud to advance business transformation efforts, enable new business models and activate a remote workforce, they must also ensure that all business conducted in a cloud or hybrid environment is safe and secure.

Traditional security measures are not equipped to deliver protection in the cloud, which means that organizations must craft a new strategy and adopt new tooling, including application-level policies, tools, technologies and rules — chief among them RASP — to maintain visibility into all cloud-based assets, protect cloud-based applications from cyberattacks and limit access only to authorized users.

How RASP Works

There are two main functionalities provided by a RASP tool:

  1. Application protection: Detecting and blocking security vulnerabilities and malicious activity within the application during runtime
  2. Threat intelligence: Providing deep, code-level visibility within the application and producing insights that help the security team understand who is attacking their organization, their methods and motivations

RASP technology leverages modern software engineering principles to enable protection and threat intelligence at the application level. RASP works by installing sensors within the code base to monitor and control application execution. These sensors enable complete visibility into both the application architecture and the execution flow during runtime.

RASP tools then combine this sensor data with contextual information, such as the code, application logic, settings and configurations, runtime data and control flow, as well as several other inputs, to enable the solution to identify high-risk activity or active breaches and, by extension, make accurate, timely decisions about how to mitigate such events.

RASP vs WAF

RASP and web application firewalls (WAFs) share the same goal: to protect network applications from cyberattacks and data breaches. However, these tools do so in different ways and have different limitations.

A WAF is an application security device that protects organizations by filtering, monitoring and analyzing hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) traffic between the web application and the internet. The WAF is responsible for blocking threats before they reach the application. That said, as a perimeter tool, the WAF is not capable of monitoring activity within the application, leaving open the possibility that attackers who have slipped past the firewall may be using the application to advance the attack plan.

This is where RASP comes in. RASP acts like a net, using application data and contextual information to stop attacks that have slipped by the WAF or other preventative security tools.

As the perimeter of each organization becomes more porous due to a rise in cloud computing and the proliferation of mobile devices, the effectiveness of both general-purpose firewalls and web application firewalls has been diminished. This limitation underscores the importance of a comprehensive security strategy that includes protection for all cloud-based assets, including applications. WAFs and RASP are two important components of every comprehensive cybersecurity strategy.

RASP Benefits

RASP security offers automated, real-time protection at the application level. This unlocks many important benefits for the organization, including:

Application-level attack prevention: First and foremost, RASP is a critical capability for protecting organizations from application attacks. Examples of application-level cyberattacks include:

  • Zero Day attacks: A cyberattack that exploits an unknown security vulnerability or software flaw before the software developer has released a patch.
  • Cross site scripting (XSS): A code injection attack in which an adversary inserts malicious code within a legitimate website. The code then launches as an infected script in the user’s web browser, enabling the attacker to steal sensitive information or impersonate the user.
  • SQL injection: An SQL injection attack is similar to XSS in that adversaries leverage a known vulnerability to inject malicious SQL statements into an application. This, in turn, allows the hacker to extract, alter or delete information.
  • DoS and DDoS: A malicious, targeted attempt to flood a network with false requests in order to disrupt business operations.

Resource optimization: RASP tooling automates routine application monitoring and event response, enabling IT teams to focus limited resources on tasks that require human intervention. Further, because the RASP solution leverages data from within the application, it operates with a far higher level of accuracy than traditional tools, which reduces the number of alerts and false positives that IT teams will need to investigate and resolve manually.

Data protection: Data stored within a RASP-enabled app is protected even if the application is breached. This means that hackers who manage to access the application and exfiltrate data are unlikely to be able to view or use that information since it is self-protected.

Continuous protection: RASP enables protection at the code-level, which means that applications become self-protected and remain so regardless of where they are deployed, be it in the cloud, on premises or in a hybrid cloud environment. RASPs do not require retooling, even when applications are updated or relaunched in a different environment. This provides organizations with a high level of continuous protection that requires little oversight and maintenance once deployed.

DevOps support: As more organizations leverage the agile software development process known as DevOps, teams may inadvertently neglect application security testing during development and production. RASP provides valuable context to developers as it relates to vulnerabilities within an application’s code and how it is being exploited. This information can be used by the DevOps team to identify portions of application code that may need to be strengthened within the application to reduce security risks and support interactive application security testing.

2022 Cloud Threat Report

Download this new report to find out which top cloud security threats to watch for in 2022, and learn how best to address them.

Download Now

Protecting Applications with a Cloud Workload Protection Solution

CrowdStike cloud security solutions  enable organizations to build, run and secure cloud-native applications with speed and confidence. With Falcon Cloud Workload Protection, organizations have comprehensive breach protection for the entire cloud-native stack, on any cloud, across all workloads, containers and Kubernetes applications.

CrowdStrike’s CWP solution secures and allows organizations to automate monitoring and detection to stop suspicious activity, zero-day attacks, risky behavior to stay ahead of threats and reduce the attack surface. Its core capabilities are:

Complete Visibility

Falcon Cloud Workload Protection provides complete visibility into workload and container events and instance metadata enabling faster and more accurate detection, response, threat hunting and investigation, to ensure that nothing goes unseen in the cloud environment.

Attack Prevention

Our CWP solution also allows organizations to automate monitoring and detection to stop suspicious activity, zero-day attacks and risky behavior to stay ahead of threats and reduce the attack surface.

Secure Performance at Speed

Falcon CWP key integrations support continuous integration/continuous delivery (CI/CD) workflows allowing organizations to secure workloads at the speed of DevOps without sacrificing performance.

For more information about Falcon Cloud Workload Protection, please download our solution brief or view our product page.

GET TO KNOW THE AUTHOR

Guilherme (Gui) Alvarenga, is a Sr. Product Marketing Manager for the Cloud Security portfolio at CrowdStrike. He has over 15 years experience driving Cloud, SaaS, Network and ML solutions for companies such as Check Point, NEC and Cisco Systems. He graduated in Advertising and Marketing at the Universidade Paulista in Brazil, and pursued his MBA at San Jose State University. He studied Applied Computing at Stanford University, and specialized in Cloud Security and Threat Hunting.