The most frequent question we get about RASP is whether or not it is 'enterprise-grade'. With so much noise and fanfare in the cybersecurity industry, it’s hard to distinguish true, scalable innovation from the rest. New technologies undergo some growing pains and are often met with a healthy dose of skepticism before they are adopted as the norm.
Prominent information security advisory and consulting firm IANS Research took on the challenge of evaluating the efficacy of Runtime Application Self-Protection (RASP) and recently released a research report called Getting A Grasp On RASP. The report, developed by IANS faculty Paul Asadoorian, provides a much-needed overview of the burgeoning space and parses the pros and cons of these new tools.
While the report thoroughly explores RASP from multiple angles - including its defining properties, its vendor landscape, and how it compares to web application firewalls (WAFs) - the primary takeaway rings clear: RASP is a highly effective tool and an excellent addition to any application security arsenal.
Benefits: Knowing is Half The Battle
According to the report, RASP tools “provide a precise picture of just how an attack against a given application would or would not be successful.” This kind of production-environment contextual analysis is unprecedented in the field of application security, whose mainstay until recently was simply the doubling up of efforts in development and testing phases. Benefits include:
- Assists with implementing a defense-in-depth approach to application security, by integrating very tightly into your source code and application server, thwarting attacks and pinpointing the exact location of the source of the vulnerabilities. Asadoorian describes it as “the final line of defense for your web applications.”
- While WAFs are useful with distributed denial-of-service (DDoS) protection, and typically catch the really easy-to-identify attacks (i.e. cross-site scripting), RASP is a desirable addition and complement because it deals with less data and pinpoints vulnerabilities through the source code. The report recommends employing both solutions to maximize security across these disparate yet highly exercised attack vectors.
- Asadoorian praises RASP’s architecture for better application intelligence, stopgap protection, always-on blocking, independence from underlying protocols, adaptive protection, and third-party application protection.
Choosing A RASP Vendor
IANS recommends doing your full research before choosing (or dismissing) RASP as a potential solution for your applications, as each provider’s capabilities and implementation constraints and fail-safe practices differ considerably. IANS suggests using specific criteria when choosing a RASP solution, including:
- Compatibility with your platform - whether .NET, Java, PHP or another language
- Results from testing in the lab and under load - for usability, stability, false positives/negatives and especially performance
This report presented a comprehensive argument in favor of RASP - underscoring the myriad benefits and making a clear case for the solution. As more experts like IANS recommend RASP, and the application security industry continues to strengthen its practices, we expect to see more organizations deploying RASP to protect their mission-critical applications. Will your company be one of them?
IANS clients can review the full research report here.