We all know that enterprise security is a cat and mouse game. Any company that claims it can guarantee 100% security from hackers is selling snake oil. So the best practice is to raise the bar to make it really, really hard for hackers so that they move on and try to break in somewhere else. The industry now accepts that a layered approach is the best way to raise the bar, and of course that has translated into significant investments in endpoint protection, next generation firewalls (NGFW], intrusion detection and prevention systems (IDS / IPS), security information and event management systems (SIEMs), data loss prevention (DLP), identity and access management (IAM), etc., etc.
These layers are of course necessary, but they’re not sufficient any more.
The Problem with Today’s Security
Hackers are having more success at the application layer and existing perimeter security approaches such as web application firewalls (WAFs) have limited (at best) success. This begs the question:
“If I can’t trust my perimeter security to stop application layer attacks, what can I do about it?”
The answer that is now generally accepted? Security simply must be built directly into the applications themselves. This acceptance has led to the rise in prominence of secure software development lifecycle methodologies (SSDLCs), secure coding best practices, and various classes of application security testing tools that help you identify potential vulnerabilities before your software is released.
However, there are limitations with this approach. In particular, existing static, dynamic and interactive application testing tools and penetration testing all help to identify vulnerabilities, but they don’t actually fix anything, so:
- Legacy applications have large backlogs of known vulnerabilities
- Developers are prized resources and application development heads need them to focus on new features and applications, not application remediation
- Defense against sophisticated attacks takes security expertise and the vast majority of developers are not security experts
- Testing relies on known hacks, so there is still no protection against zero day attacks (previously unknown threats)
So if you need to build security into applications but you don’t have the resources, don’t have the time, can’t trust your developers to have the expertise required to get it right every time, or all of the above (!) then the logical conclusion is that the capability to defend against hacks needs to be delivered in another way.
An Emerging Solution: RASP
This leads us to RASP – Runtime Application Self-Protection. RASP is a new security layer that allows sophisticated security to be built into the runtime of applications without requiring security expertise from developers. It is fundamentally different from any other security technology out there in design, implementation and execution.
Gartner, in its annual Hype Cycle for Application Security 2014 report, calls RASP a major, critical trend:
“Applications should not be delegating most of their runtime protection to the external devices. Applications should be capable of self- protection (i.e., have protection features built into the application runtime environment).”
RASP is what we deliver at Prevoty. We do it in a way that can allow legacy applications as well as new applications to be protected. And we can prevent zero days too, so your past, present and future threats are all covered.
Of course, we’re not suggesting that Prevoty will solve all of your security challenges, or even all of your application security challenges. What we are suggesting is that RASP needs to become part of your layered security approach and that we can help you raise that bar against hackers. Right now.
 Source: Gartner, Inc. - Hype Cycle for Application Security, 2014, published July 28, 2014