Runtime application self-protection (rasp): self-cultivation of application security

Applications have become an excellent target for hackers to penetrate the enterprise . Because they know that if they can find and exploit vulnerabilities in the application , They have more than a third chance of successfully invading . what's more , The possibility of discovering application vulnerabilities is also high . Contrast Security The survey shows that , 90% The application has not been tested for vulnerabilities during the development and quality assurance phases , Even quite a few applications are not protected during production .

Because there are many vulnerable applications running in the enterprise , The challenge for the security team is how to protect these applications from attack . One way is for applications to protect themselves by identifying and preventing attacks in real time , This is called runtime application self-protection （Runtime Application Self-Protection） Technology .

  What is? RASP？

Apply self-protection at runtime （RASP） This concept is developed by Gartner On 2012 in , This is a new security technology , So that enterprises can prevent hackers from invading enterprise applications and data . RASP Technology is usually built into an application or application runtime environment , Be able to control the execution of the application , And detect vulnerabilities to prevent real-time attacks .

When the application starts running ,RASP By analyzing the behavior of the application and the context of that behavior , Protect them from malicious input or behavior . RASP By enabling the application to continuously detect its own behavior , Can immediately identify and mitigate attacks , And there's no need for human intervention .

No matter what RASP Resident in server Where is it , It integrates security into running applications . It intercepts all calls from the application to the system , Make sure they are safe , And validate data requests directly within the application . Web He Fei Web Applications can be RASP The protection of the . This technology does not affect the design of the application , because RASP The detection and protection functions of the can be applied in the server Up operation .

  Why? RASP So important ？

Intrusion prevention system （IPS） And network application firewall （WAF） Technologies such as are commonly used for application protection at run time , But they work online while checking network traffic and content . When they analyze traffic to and from applications and user sessions , They cannot see how traffic and data are handled within the application . Because their protection measures often lack the accuracy required for session termination , Therefore, it will consume a lot of security team bandwidth , Usually only used for alarm and log collection . What is needed now is a new application protection technology ——RASP, It can reside in the runtime environment of the application to be protected .

  Security challenges facing applications

Protecting Web The application and API when , You will usually face the following 4 Common security challenges ：

1、 Real attacks are hard to identify . Each application has its own unique vulnerability , And can only be used by special attacks . Completely harmless for an application HTTP request , It could be devastating for another application . meanwhile ,“ On-line （on the wire）” The data may be different from what it shows in the application （ go by the name of “ Impedance mismatch ” problem ）.

2、 present Generation applications （ especially API） Use complex formats , Such as JSON、XML、 Serialize objects and custom binary formats . These requests use the exception of HTTP Various agreements other than , Include WebSocket, It is created by the JavaScript、 Rich client 、 Mobile applications and many other sources .

3、 Traditional technical defense has no effect . WAF By means of HTTP Analyze the traffic before it reaches the application server , Completely independent of the application . Although most large organizations have WAF, However, many of the these enterprises do not have a professional team to make necessary adjustments and maintenance , Make it only in “ Logging mode ”.

4、 Software is developing rapidly , Containers 、IaaS、PaaS、 Both virtual machines and elastic environments are experiencing explosive growth . These technologies make applications and API Can be deployed quickly , But it will also expose the code to new vulnerabilities . DevOps It has also speeded up integration 、 Speed of deployment and delivery , Therefore, the process of ensuring software security in the rapid development stage becomes more complex .

Fortunately, , Apply self-protection at runtime （RASP） It can solve many of these problems .

 RASP How it works

When APP When a security event occurs in ,RASP Will control the application and solve the problem . In diagnostic mode ,RASP Just issue a problem alarm . In protected mode , It will try to block the problem instruction . for example , It can prevent execution on the database when it looks like SQL Instructions to inject attacks .

RASP Other actions that can be taken include terminating the user's session 、 Stop application execution , Or send an alarm to the user or security personnel .

Developers can do this in several ways RASP. They can access the technology through function calls contained in the application source code , Or they can put a complete application in one wrapper in , This allows the application to be protected with the press of a button . The first method is more accurate , Because developers can decide that they want to protect APP Which part of , For example, log in 、 Database query and management functions .

Either way , The end result will be Web The application firewall is bound to the runtime environment of the application . This closeness to the application means RASP Can be more finely tuned to meet the security needs of the application .

RASP Major advantages

RASP It is unique because it works inside the software , Instead of running as a network device . This makes RASP You can take advantage of all running applications and API Context information obtained in , Including the code itself 、 Frame configuration 、 Applications server To configure 、 Code base and framework 、 Runtime data flow 、 Runtime control flow 、 Back end connection, etc . More context information means wider protection scope and better accuracy .

• RASP The solution can quickly and efficiently prevent attacks until the underlying vulnerabilities are resolved

• And WAF comparison , Their deployment costs and operation and maintenance are lower

• They are deployed on existing server On , Avoid extra expenses

• RASP Technology looks at what the application actually does , Therefore, the same type of adjustment is not required 、 model building 、 Validation or human resources

Protecting applications from attacks often means trying to block them at the network level . But when it comes to understanding application behavior , Traditional methods are inherently inaccurate , Because they are outside the application . meanwhile , Network based application security products will generate many false positives and need to be constantly adjusted . In the past 25 In the year , Network protection is getting closer to application —— From firewalls to intrusion prevention systems , Until then WAF. With RASP, Security can go directly into the application .

• RASP Pile insertion provides a level of accuracy that traditional methods cannot achieve

• It enables application security to be truly in application

• Higher accuracy enables enterprises to confidently protect more data and applications with fewer resources

• RASP Be able to develop in agile 、 Cloud Applications and web Good operation in service

• And those that need constant adjustment WAF The solution is different , It accelerates agile development by providing protection without rework

• RASP Faster and more accurate application

• Whether in the cloud or locally ,RASP Can move seamlessly as applications grow or shrink

• Support RASP The application does not know that the attack is through API Or the user interface

• RASP Simplify application security monitoring by plugging the entire application

• When relevant parts of the application are accessed or other conditions are met （ Such as login 、 transaction 、 Permission change 、 Data manipulation, etc ）, You can create RASP Policy to generate log events

• Policies can also be added and deleted as needed

• With RASP, All these application records can be implemented without modifying the application source code or redeploying .

• RASP Keep providing information about who attacked you and the technology they used , And tell you which applications or data assets are targeted .

• Except for the complete HTTP Request details ,RASP Application details are also provided , Including the specific location of the code line related to the vulnerability 、 Exact back-end connection details （ Such as SQL Inquire about ）、 Transaction information and currently logged in user .

• Use RASP Provides instant visibility to software development teams , Help prioritize your work , And take action on security defense .

because RASP Not a hardware box , It can be easily deployed in all environments , And quickly stop hacker attacks , Finally, the application can defend against attacks in real time .

Self protecting applications will become a reality

When the attacker breaks through the perimeter defense ,RASP The system can still be protected . It provides insight into applied logic 、 Configuration and data event flow , It means RASP Can thwart attacks with high accuracy . It can distinguish between actual attacks and legitimate requests for information , This reduces false positives , So that network defenders can spend more time solving real problems , Instead of drilling into a dead end .

Besides , Its ability to self protect application data means Data is protected from the moment of its birth to its destruction . This is especially useful for businesses that need to meet compliance requirements , Because the self-protection data is unsolvable to network hackers . Even in some cases , If stolen data makes it unreadable when stolen , Regulators do not require companies to report this data breach .

And WAF equally ,RASP Nor will it fix the application's source code , But it does integrate with the application's underlying code base , And protect vulnerable areas of the application at the source code level .

because RASP Still in its infancy , Its shortcomings will be gradually overcome in the future development , And hopefully it will become the future of application security . just as Veracode Chief Innovation Officer Joseph Feiman In the position of Gartner As the vice president of research pointed out ： “ Modern security cannot test and protect all applications . therefore , The application must be able to protect itself —— Self test 、 Self diagnosis and self-protection . This should be CISO Top priority ”.