With the rising number of applications and the rise in security threats, the need for Runtime Application Self-Protection (RASP) is ever more important. The security and privacy protection for organizations is of paramount significance and RASP is one of the tools at their disposal to achieve these aims.
What is RASP in application security? Runtime Application Self-Protection (RASP) is a security technology used to protect applications from malicious attacks and unexpected deviations in their behavior. RASP tools can operate within the application’s runtime environment or can be linked to it, allowing them to get visibility inside the application to detect and block any malicious attacks or any deviations in expected behavior.
Runtime Application Self-Protection security tools work by looking at the calls an application makes to the system, intercepting these and checking the validity of these calls by using:
- known attack threats
- previously learnt application behaviors
- new attack threats from threat intelligence
Known attack threats could include shelling out to the environment the application resides in. So, if the application is running inside a docker container on a Linux host, the application invoking commands to open the bash programming shell could be seen as a potential threat and the RASP security tool will automatically stop this from happening. As long as the RASP tool is set to block malicious activities instead of just fire up a warning in the dashboard.
The majority of RASP security products have learning capabilities where the application being protected is run over a period, normally 24 hours, with its operation monitored by the RASP tool. This operation, or behavior to be more exact is then taken by the RASP security tool to be the expected behavior when the application is working.
Any deviation to the expected behavior would then be flagged up as being malicious as it’s not expected. So, if the application behavior changed to where it was trying to send information to different systems or to even external systems, this could potentially indicate the application has been infected with some form of malware. The RASP security tool could then block the malware from propagating by shutting down the application and closing off any communication channels.
RASP Threat Intelligence
New threats emerge all the time and the RASP security tools generally have access to emerging threat intelligence, allowing them to check for newer threats on an on-going basis. Many RASP vendors are part of larger security vendors, giving them access to threat intelligence from across their organization. This gives their RASP security tools the ability to detect new threats quickly and be able to apply mitigating actions to stop the threats from doing damage.
RASP tools work proactively in blocking attacks, as opposed to other tools which use a more reactive model and are more focused on minimizing the impact when an attack has already happened.
RASP security products and vendors
There are many RASP security products and vendors in the marketplace and deciding which one is right for any organization involves developing some form of acceptance criteria to ensure the RASP tool does exactly what will be expected from it.
Twistlock RASP Defender
Twistlock RASP Defender is a RASP tool from Palo Alto (Twistlock taken over by Palo Alto in 2019) designed for containerized workloads like applications running in docker containers, applications running as Functions as a Service (FaaS) and standard hosted applications.
Containers
For containerized workloads the Twistlock RASP Defender can run as side car container on the same host as the containers being monitored. Allowing it to intercept calls made by the containers and check if these are similar to the ones it knows about.
By using machine learning aspects of artificial intelligence, Twistlock RASP Defender learns the expected behaviors of the application and this is why before any containers are set to ‘live’ conditions, learning mode is used to learn about the containers behaviors.
Anything construed as malicious can quickly be picked up and those behaviors flagged as false positives, can be marked as acceptable. This behavioral profile is then saved by Twistlock RASP Defender and is used as a comparison when the container runs under ‘live’ conditions, with any deviation from this behavior either alerted on, or blocked, with security teams quickly being alerted to the actions taken.
So, if malware had entered the container somehow, the behavior of the malware would be stopped by the RASP defender because the behavior would not be the same expected, as learnt during the behavioral learning phase of the container.
Serverless
FaaS more commonly known as Serverless is another area where Twistlock RASP excels at. Popular serverless products like Amazon with its Lambda and Azure with its Azure Functions run code in popular languages like Python, Node.js and many more.
With serverless, instead of being a single application, the code is split into functions, making it easier to develop and update any code changes. The burden of managing a servers is removed as well as the costs and only the time taken to run the serverless function is billable. This makes serverless an attractive option for many organizations.
The potential for these serverless functions to run code with malicious intent increases, especially if the coding quality is poor or from an insider threat perspective, one of the developers adds their own malicious code. Many a disgruntled employee has ended up doing severe damage to their employers systems, so having protections in place like RASP are essential.
Twistlock RASP Defender adds a layer to the serverless functions that monitors what the serverless function is doing. Any behavioral deviation is picked up and either blocked or alerted, just like with containerized workloads where behaviors are leaned prior to any code going into a ‘live’ state.
Aqua Security RASP
Aqua Security RASP is a competitor to Twistlock RASP Defender, and its Micro Enforcer product provides a similar level of protection to Twistlocks RASP Defender.
Containerized workloads can be protected including those container systems where a side car approach isn’t possible due to the restrictions in being able to manage the container system. AWS Fargate is one example of this where the RASP tooling needs to be installed differently as a task definition. Both the Aqua RASP and the Twistlock RASP Defender are able to work with closed container systems like AWS Fargate.
Aqua’s RASP products also provide serverless function security, by providing an additional layer of security wrapped around the functions to check on their behaviors and calls. Any deviations or threats are alerted upon or blocked, depending on the configuration.
To ensure the latest threats can be determined, up to date Threat Intelligence is used, by downloading this on a regular basis.
Veracode Runtime Protection
Veracode Runtime Protection provides RASP capabilities through the agent deployed to the host where the application is installed. This allows the agent to get an insight into the applications logic, the events being generated, instructions being executed and the flow of data in and out of the application.
Veracode Runtime Protection is available as a Software as a Service (SaaS) subscription offering.
MicroFocus Fortify Application Defender
MicroFocus Fortify Application Defender is another RASP tool priding itself on not having to change any application development code, for it to be able to quickly report back any anomalous security activity on applications including the users using the applications.
There is no need to create custom log parsers for Application Defender to work, it will work out of the box and consistently with great accuracy detect software exploits in Java and .NET type applications. Detection can be expanded upon into actually blocking potential attacks, stopping any serious attacks from doing any damage.
Application Defender is available as either as a SaaS option or self managed version, with the former being subscription based.
CheckMarx CxRASP
CheckMarx CxRASP uses technology to observe an applications bi-directional flow of data, analyzing this to detect any anomalies in real-time to ensure any attacks can be defended against.
Gartner RASP Magic Quadrant
In the Gartner RASP Magic Quadrant, typically it is HP Application Defender, Veracode and IBM (Arxan Application Protection) marked as leaders. With CheckMarx marked as visionaries and Synopsis marked as challengers.
For containerized workloads and serverless functions, Twistlock and Aqua generally tend to lead the field.
RASP vs WAF
The difference between RASP vs WAF are that WAF is about looking at protection against external threats and RASP is concerned with protecting against internal threats. Threats emerging from the internal trusted networks can potentially do more damage than external threats and put the security posture of an organization at risk.
A WAF is placed towards the network perimeter of an organization and will use a set of rules to inspect all incoming traffic to a website or Application Programming Interface (API) and see if any of the traffic contains any anomalies.
As many websites prefixed with HTTPS are encrypted, the data travels securely over a TLS/SSL encrypted channel. A WAF will not be able to inspect the traffic from an encrypted connection, so the traffic needs to be decrypted first using SSL offloading techniques. Once the traffic is decrypted, the traffic can be inspected by the WAF for anomalies and any data falling foul of the WAF rules is discarded.
For example, if the WAF inspection for finds database code structured to try to try to get privileged access on a database using what is known as a SQL injection attack. The WAF can simply stop the SQL injection code entering the internal network and discard it, thereby protecting the integrity and confidentiality of the organizations data.
RASP tools on the other hand are placed inside the application environments and monitor the application for any unusual behaviors. As the application is being used, the RASP tool checks how the application is running and if the application exhibits a behavior likely to compromise security. The RASP tool can either alert or block the application from carrying out the malicious behavior.
As an example, a docker container could contain an exploit designed to steal an organizations data. The container with its direct access to the database, potentially has access to the information stored in the database. If the container starts to make unusual calls to external connections, this could be flagged up by the RASP tool and stopped in its tracks. The container could contain an exploit designed to get data from the database and send it out of the organization to a predefined location.
A container may contain malicious code that tries to elevate its privileges using a vulnerability in the container or the host running the container. By elevating the privileges, it can run under, the container can get access to the host it is running on and the other containers running on the host. The other containers may be connecting to systems with sensitive information and this could allow the rogue container access to information it should not have access to.
WAF works on a set of rules and doesn’t have the additional understanding beyond the rules to be able to determine the attack. It doesn’t use behaviors as RASP uses to determine the level of threat and this can sometimes leave some threats undiagnosed.
Both a WAF and RASP are essential is increasing the overall security posture of any organization. In fact, during my security assessment work, I advise my clients on the essential protections both of these provide.
What are the different types of security testing?
There are many different types of security testing in DevSecOps, with SAST and DAST working alongside RASP and container security scanning tools. Together in a pipeline configuration these security tools allow automated testing to be done end to end from development all the way to production.
RASP security tools are widely used in Continuous Integration / Continuous Deployment (CI/CD) pipelines, where they are placed to check for any behavior anomalies in the end to end deployment and running of applications.
What problem does DevSecOps solve?
DevSecOps solves the problem of ensuring all security testing can be completed uniformly at different stages of development and deployment in an automated fashion. From the initial development of code where security checking can be done in real-time with the developer to the security testing of the application as it is running and being used in a ‘live’ state.
SAST
Starting with a ‘shift left security’ approach the first phase of DevSecOps should ensure the code is checked as it is being created. This is where Static Application Security Testing comes into the equation looking at how the code is handling validation for example, to ensure this cannot be later used as leverage by hackers to exploit the application for access.
SAST can be included in the pipelines being used for development and deployment in the CI/CD platforms where CI is Continuous Integration and CD stands for Continuous Deployment. SAST in the CI/CD world will check any code checked into the pipeline for security issues and will generally be configured to stop the code from going any further in the pipeline if it fails the SAST checks.
DAST
Dynamic Application Security Testing will check what comes out of the CI pipeline, that is the application created from the development code. This applications interfaces will be in the scope of DAST testing, interfaces like APIs and front end web pages.
DAST will run its security checks on the applications APIs and web pages in a running state by attacking the application to see how it deals with threats and attacks designed to look for weaknesses.
RASP
RASP will protect provide the internal security to ensure the applications behave as they were designed to behave. By monitoring the application calls and data flows, RASP can keep an eye on the application.
While DAST checks the applications interfaces like APIs and its web pages, RASP check the actual internal running of the application. So, if an API interface checked by DAST doesn’t have any issues, the internal microservice the API calls suddenly starts to try to connect to other microservices when it shouldn’t be. RASP will be able to detect this as a deviation to the expected behavior.
Conclusion
Runtime Application Self-Protection is an essential part in ensuring threat and attacks from applications are detected in real-time and either alerted on or blocked. RASP technology gives security personnel an insight into the applications environment which other technology like WAF wouldn’t be able to do. Allowing attacks and threats surfacing in the application runtime environment to be quickly detected and blocked.
