In AppSealing Blog, AppSealing News

Applications deployed in enterprises sit in a complex and fragmented environment in a mélange of networks, operating systems, and databases. This often leads to fragmentation in the application’s security architecture, coupled with a lack of precise and fool-proof security road map. The concept of runtime application self-protection (RASP) has been developed largely to address the ad-hoc approaches adopted by developers when they come face to face with threats.

Recent data suggests that 38 percent of mobile applications for iOS and 43 percent on Android carry high-risk vulnerabilities. A large number of them — 74 percent for iOS and 57 percent for Android — affect mobile apps due to weaknesses in their security architecture. Insecure interprocess communication is also a vulnerability found in 38% of Android apps and 22% of iOS apps.

Instead of addressing the design flaws in apps, developers tend to adopt static and traditional AppSec approaches, which often fail in the light of complex security threats. Such disparate layers of security control often become a bottleneck for multiple components at the application, infrastructure, and security layers, but with the arrival of RASP solutions, app security is no more a casual reaction to threats.

What is RASP?

Runtime application self-protection (RASP) is an innovation in the application security ecosystem equipped to deal with runtime attacks on the software’s application layer by providing more visibility into hidden vulnerabilities. It is essentially a security software that integrates with an application or its runtime environment and constantly intercepts calls to the application to check their security. A RASP software does not wait for a threat to impact the app. Instead, it proactively hunts for malware in the incoming traffic to the app and prevents fraudulent calls from executing inside the app. 

By staying within the application, a RASP solution neutralizes known vulnerabilities and protects apps against unknown zero-day attacks without needing any human intervention. Hence, RASP offers a conceptually different security paradigm than traditional security approaches like web application firewalls (WAF), which protect an app simply by blocking all suspect traffic. 

Why is RASP required?

Attack vectors on apps have become so intelligent that they cannot be easily detected only through human intervention. A seemingly innocuous HTTP request – which mimics genuine incoming traffic – could be used to trip down applications and compromise business-critical processes. Modern applications interact with users, back-end servers and databases using APIs, JSON, and XML formats. If these app and server components are not properly secured, hackers can easily take control of the app code, user data, or both. 

The adoption of agile development models by software companies due to a constant requirement for feature upgrades has made modern security protocols indispensable to the app’s overall architecture. RASP, thus, is the perfect answer to this constant requirement and threat perceptions since it blocks attacks in real-time.

A traditional security approach, like a web application firewall (WAF), normally sits in front of web applications, inspecting incoming HTTP request traffic for known attack payloads and abnormal usage patterns. WAF works well only in situations where an attack is known, for which firewall rules can be built in WAF. But, for emerging threats, it becomes ineffective since developers cannot write rules for blocking them. On the other hand, RASP integrates within the app to not only detect threat vectors but also initiate measures to block them. RASP’s seamless, no-code deployment and integration also leads to minimum impact on the app’s overall performance, thus making it a must-have security solution.

How does RASP work?

A RASP layer sits side-by-side with the application code and monitors the incoming traffic to the server and APIs of the application. Upon detecting any threat vectors, RASP applies runtime protection measures and secures the application from malpractices. All requests are vetted through the RASP layer sitting between the application and the server, without impacting the app’s performance. 

With the emergence of cloud computing, the traditional perimeter solutions are found lacking to comprehensively protect applications hosted on the cloud. On the other hand, a RASP program can be integrated as a framework or a module to work with the app program’s code. Used sometimes in conjunction with dynamic application security testing, RASP has powerful capabilities to not only detect threat vectors – just like WAF – but to initiate actions to counteract the damages which can occur if the threat is allowed to be executed. Depending on the implementation, this could mean simply terminating a user session or analyzing traffic at runtime and monitoring vulnerabilities for their impact on the application. Due to its proximity to vulnerable code inside the application, RASP triggers fewer false positives.

What are the various RASP deployment modes?

RASP usually comes in the following modes and can be deployed in any one of them based on requirements: 

  • off mode, which offers neither monitoring nor blocking of calls. Here, all requests are simply passed on without any measures made by the RASP solution.
  • monitoring/diagnostic mode, where a RASP program monitors the application for threats, records logs, and issues alerts, but does not block requests;
  • block mode, where the RASP program goes one step ahead and blocks all illegitimate requests;
  • block at perimeter mode, similar to block mode, except here there are certain predefined rules and required actions specified for the RASP solution to thwart attacks even before they are processed by the application. If the attack vector does not match the specified rules, the RASP solution reports it and blocks the same. In this mode, a RASP program behaves like a WAF.

What are the different RASP approaches?

RASP has evolved into a mature concept of in-app security, which has allowed developers to approach neutralizing threats in multiple ways. Depending upon how the developer wants to implement the RASP security layer in the app or the server, they use one of the following four methods:

Servlet filters, SDKs and plugins are implemented into Apache Tomcat or webserver to monitor and inspect incoming HTTP requests and data payloads before they reach the application code. Those resembling vulnerabilities are blocked and, based upon the deployment mode, RASP takes corrective action.

Binary instrumentation includes building monitoring and control elements into the application, with the former identifying security events in the running application, while the latter records such events’ logs and blocks them.

JVM replacement includes replacing the standard libraries – JAR or JVM (in case of Java) – with a RASP layer, which listens to calls made to supporting libraries and applies rules as the calls are intercepted. RASP, thus, has an overall view of app codebase and the system calls routing framework, which enables RASP to learn about machine behavior and sequence flows through passive monitoring of application calls.

Virtualization, also known as containerized runtime protection, creates an application copy and instruments application’s behavior at runtime on the copy by using rules to govern how an application is protected. RASP monitors and learns from app code pathways, logical constructs, parameterization and outputs generated, etc, which is then applied to application requests. This helps in distinguishing between legible requests from malicious ones and allow for appropriate remedial action.

What should you consider while selecting a RASP solution?

Developers should choose a RASP solution carefully, weighing it on the following parameters:

  • It should be easily deployable and require the least maintenance, otherwise, it can become ineffective when the nature of threats change
  • It should have a fairly broad capability to detect and handle a huge range of vulnerabilities, both traditional and unknown
  • It should have minimum impact on the application’s performance metrics, without which a security layer loses all meaning. No developer will trade users’ comfort for an extra security feature
  • A RASP solution should be accurate with least false positives, so as not to block genuine user traffic
  • It should work seamlessly with other security tools, like WAF
  • It should offer support for multiple frameworks and languages
  • A RASP solution must be autonomous, provide support for cloud analysis with round-the-clock monitoring, and block malignant requests
  • Above all, it should provide a comprehensive and actionable report on all runtime threats handled and learn from the application’s runtime behavior to protect it dynamically against both passive and active incidents

Use cases of RASP

It is important to understand where RASP can be applied in order to appreciate its comprehensiveness and applicability in the modern security framework. Following are some use cases:

  • RASP can handle attacks on known and unknown vulnerabilities in the application ranging from CSRF, CSS attacks, SQLi, HTTP method tampering, Regex DOS, etc.
  • The increasingly agile, distributed nature of application development has made RASP a particularly effective security solution. RASP can act as a protective layer while the development team identifies and remediates vulnerabilities, especially useful in CI/CD DevOps and agile workflows with tight deadlines.
  • RASP becomes particularly handy to protect critical APIs, which are often complex than typical websites and often make use of annotations to route data to methods in the codebase for appropriate parameterization. APIs often use non-HTTP protocols such as WebSocket. RASP works at the application layer and, thus, after network protocol and data parsing has been done, it protects APIs from pertinent attacks.
  • RASP can also protect applications environment from databases, file sharing interfaces, third party connections, data sources, and socket connections. 
  • Application threat intelligence is essential to know in detail which applications are under attack, techniques adopted for perpetrating the attack, along with detailed application-level details which are useful for immediate remediation. Such visibility is indispensable for future-proofing both internal and external enterprise applications.
  • RASP provides for enhanced security logging to identify, debug and diagnose the impact of a security event on the applications.

Conclusion

In conjunction with AppSec testing and WAF solutions, a RASP solution can prove to be the game-changer your organization needs to quickly and effectively deal with a sophisticated threat landscape. With monitoring, traffic analysis, and learning capabilities of RASP, applications can be equipped with a RASP layer which has capabilities to thwart attacks with high accuracy.

Going beyond traditional security approaches; Leverage RASP for faster, cost-effective in-app protection.

 

Govindraj Basatwar
Govindraj Basatwar
Govindraj is a Global Sales Head for AppSealing at INKA Entworks. He keenly follows the innovation and development in cybersecurity, IT, content and application security, and software development, and loves to educate everyone about the what, why, and how of major incidents in the cybersecurity world. His views on industry trends and best practices have been featured in articles, white papers, and had been a keynote guest at multiple security events.

Leave a Comment