Runtime Application Self-Protection

I have already introduced the Web Application Firewall (WAF) series and explained the importance of its implementation. If we implement WAF, we try to protect our web application from intrusion from the internet by filtering and monitoring internet traffic (HTTP). But if the attacker gets through WAF, our following line of defense would be Runtime Application Self-Protection (RASP).

The difference between WAF and RASP is that WAF blocks all suspicious traffic, and RASP stops the known vulnerabilities and also unknown zero-day attacks.

What exactly is Runtime Application Self-Protection?

Runtime Application Self-Protection is the technology created with the idea that an application should protect itself. As the name explains, this protection is triggered during runtime because it should detect what is happening in real-time. RASP runs on the server. Based on the given information, we can say that these testing tools are application security observers.

How does RASP works?

RASP concentrates on all requests made in the application and all requests made from the application to the system. It intercepts and validates it. It also checks the behavior of the application, as well as its context.

When RASP detects the issue, RASP works in a few modes: diagnostic and protection. First, when a security problem occurs, RASP raises the alarm (notification). Then it will try to stop the attack without human confirmation, so it will assume the role. The attack would be stopped by terminating the user session, blocking the application, sending alerts, etc.

Pros and cons of using RASP

As I mentioned before, after the attacker passes the WAF, they will directly attack your application. Pros of using RASP are that if the attack happens, you will be able to get more information about what is happening during the attack, so the developer can see the issue faster, and the problem can be solved, stopping the attack. Also, the information you get from RASP would be fewer false positives because these tools run in the application and can easily separate attacks from valid requests. RASP by itself has low maintenance, so it is cost-effective.

The cons are that application performance would be slower because of real-time testing, and of course, as with many of the tools, it covers a limited number of vulnerabilities.

Can RASP be used as a penetration testing tool?

If the developer can use RASP technology to detect and eliminate the threats, then penetration testers can also use them for testing purposes. Based on its possibility to be customized, the tester can create the tests based on the final reports they want to get.

How to implement RASP?

Developers should implement RASP. If the application is mainly in the maintenance phase, the whole web application can be wrapped in a RASP wrapper. If the web application is running and developers are adding new features, it would be better to include security when calling the functions. When using RASP, most developers like to make it as custom as possible by using trigger on calls within the code; by doing that, they can set up protection parameters and reduce the unwanted security tests (checks) - set up predefined rules and actions. This mode is called Block at perimeter mode.

Implementing RASP is very important because, as mentioned, the developer can customize blocking measures. Thus, it is more customizable than WAF.

Imperva RASP implementation

The implementation would be very easy with not-free tools like Imperva. First, you would need to pay for it 😊. We are left with a few easy steps when that hard step is passed. You would need to download the configuration JSON file using Imperva RASP's configuration manager with the RASP modules in the same directory location in your application server. Also, before you run RASP you would need a license from Imperva's RASP Team. That's it; for more info, check out Imperva's official documentation.

Micro Trend implementation

As we did for Imperva implementation, there are a few steps to configure before using the testing tool.

In this case, for this tool, you would need to first configure

- If you want to monitor the applications, you will need to configure the groups of applications. But you can also only wish to monitor the functions, so you would need to configure the groups of the functions.

- Policies as the set of rules you would like the tool to use when detecting the vulnerabilities, or you can use predefined templates

- Choose the agent you wish to integrate as your security agent. More on security agents on this site.

That is it. You would be ready to use the Micro Trend. To check out more options for customizable setup, check out their site.

As you can see from these two examples, different tool implementation steps are very similar and easy to set up. They are similar but not the same, so you will need to read their official guide on integrating the tool within the application.

Free RASP tools

If you don't want to pay and don't want to bother to schedule a demo etc., you can check out some free RASP tools on this site.

If you are a mobile developer, you can check out one mobile in-app protection and security monitoring SDK on this GitHub repository.

*WeHackPurple community, in one interesting video, tries to explain how the Log4J attack would have been stopped using the RASP tool. Check it out!

Most used RASP tools

This is the list of top five most used RASP tools in 2022 by Comparitech research:

- Imperva

- JSDefender

- Fortify Application Defender

- Sqreen

Depending on your needs, you should choose the right tool to use. Better tools should provide:

- Easy installation with already existing security templates

- Simple use, like level of simplicity when using tools UI, implement rules etc. (options you need the most)

- Customizable reporting tool that is easy to use

- Tool that offers more than basic OWASP 20 vulnerabilities

I provided links in the list of the top five most used tools so you can try out their demos to choose which one suits you the best.

Conclusion

As I mentioned, it is best to use WAF and Intrusion Detection and Prevention Systems security setups with RASP so you can better protect your web application from a security point of view. In general, when you want to create a strategy for securing the application, you need to know what is our first line of defense and you should never give full trust that the first line will not break. Always add as many layers of defense as possible so the attacker doesn't get to the target. That means you would need to combine more security tools and sometimes include your custom ones, depending on the application's structure.

Cover photo by Markus Spiske

#RASP #webAppSec

To protect the application besides adding a Web Application Firewall as a first-line defense we can also add Runtime Application Self-Protection (RASP). In this article, we will talk about this emerging technology!