What is RASP?

RASP (Runtime Application Self Protection) builds on IAST by not only detecting attacks as they happen in production but actively blocking them by terminating sessions or banning IPs. This explainer video covers when to introduce RASP—greenfield versus legacy—and why most RASP tools still require commercial solutions like Contrast Security.

Coveros Staff

April 9, 2020

RASP stands for Runtime Application Self Protection. Like IAST it’s agent based, so it watches your software run and tries to determine if something is attacking it. The goal of IAST is to try to determine if something’s attacking it by a certain behavior. RASP adds a layer to that by recognizing something’s attacking it and then trying to do something about it, like terminating a session, blocking a user, or banning an IP address. RASP allows you to not only determine if someone is attacking your software but also to react to that and prevent them from continuing that attack.

When is the best time to introduce RASP to your application?

If it’s a brand new greenfield project, where you’re going to start applying application security practices starting day one, you definitely want to start putting in and reacting to that. As you’re building out your test automation, you want to start putting in and reacting to that. Then when you actually put that software into production, you want to use or RASP to help you with your security posture. If you have legacy software that hasn’t had much application security practices applied to it, RASP gives you something that’s proactive in your production environment that will start at least giving you some protection against people attacking you.

How can you get started using RASP?

A lot of the DAST open source tools are fairly good. A lot of the SAST open source tools aren’t completely apples to apples comparable to the commercial tools. The open source tools will do a lot of things like finding security violation patterns, finding specific things in your code base that are vulnerable. They don’t do things like workflow and data flow analysis. They don’t look at how the data flows through the code, and it won’t do what’s called taint analysis, where you introduce data from the outside world, but you never sanitize it nor make sure that it’s valid and reject it if it’s not. So that tainted data goes all the way through your application and could go into your database. There are a few open source IAST and RASP tools but not a lot, so you’re still looking at getting commercial tools, through companies like Contrast Security, for the most part.

Related Blogs

Navigating the Technical Debt Crisis in Financial Services

Leveraging AI-Augmented Development to Mitigate Systemic Risk and Reclaim Operational Alpha

The ROI of Training

This article builds the financial case for investing in staff training, covering both hard metrics and intangible cultural benefits such as...

Using Hierarchical State Diagrams to Tame State Explosion Representation in Complex Software State Diagrams

As systems grow complex, flat state diagrams suffer from state explosion where the number of states and transitions becomes unmanageable for...

Building Scalable Resilient and Efficient Systems with the GitHub Well Architected Framework

Breaks down the Architecture pillar of the GitHub Well-Architected Framework, covering scalability, resiliency, efficiency, modularity,...
Coveros Staff

Coveros Staff

This post represents the collective insights of the Coveros team. Our staff consists of software experts who bring deep experience in secure agile development, DevOps, testing, and software quality. Over the past 20 years, Coveros has trained more than 30,000 professionals and worked with half of the Fortune 100 companies on mission-critical software development challenges. We draw on this extensive experience to share practical insights, proven strategies, and real-world solutions that help organizations build better software faster and more securely.