Cyber security is certainly getting more mature, with firewalls, IDS/IPS, defence-in-depth strategies and multiple layers of physical security now being mainstays of any organisation’s security deployment. But there’s another solider rallying to the infosec cause in the form of RASP.
RASP stands for Runtime Application Self-Protection, and is a trending technology that gives applications the ability to defend their contents and the processes they execute on the fly. If we imagine an attack that has intelligently evaded other security layers, such as the firewall, then the attack can still be detected and stopped by the very application for which the attack is targeted. It sounds great, but there’s one big question: how does it do it?
First a quick reminder: when an application is launched, its executable code is invoked and all the functions and processes embedded in that application are executed consecutively, according to its logic. This situation actually makes it easy for an attacker to arbitrarily inject executable code into the running application, and as such change its behaviour and intended output. An attacker who succeeds in this can momentarily (or totally) take control of the application’s actions, to the extent of determining what it does and when it terminates. This particular vulnerability can lead to severe consequences, including but not limited to loss of business intelligence, classified data and processes, and can render an entire PC, server or network vulnerable to more severe attacks such as distributed denial of service (DDoS).
RASP to the rescue
What RASP does to prevent application attacks is simple: it provides the resources for an application to track its activities, including its own behaviour, and thereby enabling it to know when malicious contents have been injected into it. The application knows what abnormal behaviour is thanks to pre-defined behavioural patterns, meaning it will actively respond to the attack through automatic self–configuration. Manual input is not needed. This self-defence strategy can allow an application to truncate threats, correct runtime faults and run to completion where necessary.
One for all...
RASP as a technology also has another clever trick up its sleeve. It can sit on host servers, keeping an eye on applications that are running from the server in question. If any application behaves in a way that triggers the self-detect and self-protect mechanisms, RASP automatically invokes its protection measures on the application after taking control of it. When such measures are invoked, RASP can then have the capacity to analyse all remote calls on the application, and securely allow the application to continue execution, or terminate based on the absence or otherwise of a malicious attack.
As RASP detects a potential threat, it can send a message to the security administrator or user of the application, sound a warning signal, and/or prematurely terminate the execution of the application in order to stop the threat. Now this is the interesting part: RASP can go all the way and check every activity initiated by the system it is monitoring, to the extent of inspecting the business logic, the resources used by the system (such as data and processes), and even the system’s configuration. That’s a genuinely impressive feature-set. We can see from the structure of RASP that it can definitely help improve the security of applications – particularly the exactness of detecting and stopping unwanted security incidents that may have adverse effects on the integrity of the data being processed.
The benefits of RASP are manifold: our data can be safe as applications use it, and the events that trigger the various actions on the data can as well be assessed as valid for such operations. Organisations need not worry about data distortion, theft or misuse, thereby enhancing operational fluidity, and improved business performance in terms of customer-based services. When the integrity of the data being processed is guaranteed, customer satisfaction for customer-based services is not far-fetched.
RASP in your organisation means secure data, enhanced security monitoring, reduced instances of injection attacks, such as SQL injection, arbitrary code execution, and the like. This will lead to improved business processes and I envisage that in the long run, security incidents will be optimally controlled. But before we start celebrating, it should be obvious to even dreamy-eyed security professionals that attackers will always find a way around security defences. So, when you are ready to use RASP, never forget that it’s one component of a bigger security picture. By all means use RASP and enjoy its advantages, but don’t do so at the expense of other security features and functions.
RASP sounds good, though I think there’s still work to be done. RASP is just another defensive layer on the code and this can be hard to implement when performance is the target. Remember that different applications will require different security features, and RASP’s highly dynamic nature can present itself as a hurdle for some applications. RASP is a new technology that is still maturing, so it’s not yet a standard element in the global security architecture. It is a technology for the future with a big advantage for early-adopters, but also more obstacles to overcome. So the next time you have all your applications ready to run, consider RASP and how it can make your security standpoint much more robust.