Application security has emerged, evolved, matured and adopted at the programming and testing phases of application lifecycle, not at its operation phase. Technologies for application protection at the operation phase have been adopted at lesser degree and even then they are only adopted with some stipulation.
This can be explained. Adopting application assessment/vulnerability detection technologies is less risky than adopting application protection technologies.
Technologies such as static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA) serve as a good example of assessment technologies. They analyze application source, byte, or binary during the time of assessment or they analyze the presence of 3rd party components in the application. Based on that analysis, application development and security specialists can take remediation actions, such as fixing vulnerabilities in the application code. These actions only impact non-production applications, thus typically posing little to no risk to the usability of the applications.
Adopting protection technologies that act during the production phase is a much riskier proposition, as doing so can break production applications’ execution, causing an outage or malfunction. Thus, adoption of those technologies has lagged behind detection/testing technologies, and market has tolerated it until recently, when the situation in security has changed.
Over the last several years, the vector and nature of attacks have transformed. The application layer has increasingly become the main target of attacks. Recent attacks seek to exploit weaknesses in applications to gain unauthorized access to money, data, and possibly control over (such as power grid or water supply systems). These attacks have also become more targeted, and are often supported by governments or terrorist organizations.
The change of the situation rings alarm, and causes demand for real-time, zero-latency technologies capable of detecting attacks that target running applications and protecting against those attacks.
For many years, the IT industry substituted a specialized application protection technology with network-based security technologies, mainly with web application firewalls (WAFs). Yet, they have not been broadly adopted, nor are they effective at protecting against application attacks. Those technologies, are network traffic analyzers and as such see applications as black boxes. They do not have insight into applications’ logic flows, database access, data processing or configurations. Due to these deficiencies, they cannot distinguish (with the necessary degree of assurance) between an attack and legitimate access, making them ineffective for true real-time protection. Relying solely upon them is often too risky.
The deficiencies in network-based protection technologies cannot be overcome. A new approach, a new technology is required. That technology – runtime application self-protection (RASP) – has just emerged.
Only RASP is designed to work at the production phase, with an in-production application. RASP becomes an integral part of the runtime environment, therefore it offers a uniquely deep insight into application logic as well as data flow and thus, with unique accuracy, can detect attacks and protect against them. With this new technology we will see a transformation in the way enterprises protect their applications.