RASP stands for Runtime Application Self Protection. Like IAST it’s agent based, so it watches your software run and tries to determine if something is attacking it. The goal of IAST is to try to determine if something’s attacking it by a certain behavior. RASP adds a layer to that by recognizing something’s attacking it and then trying to do something about it, like terminating a session, blocking a user, or banning an IP address. RASP allows you to not only determine if someone is attacking your software but also to react to that and prevent them from continuing that attack.
When is the best time to introduce RASP to your application?
If it’s a brand new greenfield project, where you’re going to start applying application security practices starting day one, you definitely want to start putting SAST in and reacting to that. As you’re building out your test automation, you want to start putting DAST in and reacting to that. Then when you actually put that software into production, you want to use IAST or RASP to help you with your security posture. If you have legacy software that hasn’t had much application security practices applied to it, RASP gives you something that’s proactive in your production environment that will start at least giving you some protection against people attacking you.
How can you get started using RASP?
A lot of the DAST open source tools are fairly good. A lot of the SAST open source tools aren’t completely apples to apples comparable to the commercial tools. The open source tools will do a lot of things like finding security violation patterns, finding specific things in your code base that are vulnerable. They don’t do things like workflow and data flow analysis. They don’t look at how the data flows through the code, and it won’t do what’s called taint analysis, where you introduce data from the outside world, but you never sanitize it nor make sure that it’s valid and reject it if it’s not. So that tainted data goes all the way through your application and could go into your database. There are a few open source IAST and RASP tools but not a lot, so you’re still looking at getting commercial tools, through companies like Contrast Security, for the most part.