RASP (Runtime Application Self-Protection) is a new concept aiming at revolutionizing application security. This presentation is a envisioned as a guide for early adopters and technology evaluators.
3. www.immun.io @immunio
Automatic detection and protection against
app security vulnerabilities
‣ Formed in 2013
‣ Patented Technology
‣ HQ in Montreal, Canada
3
Customers:
About IMMUNIO
4. www.immun.io @immunio
1 Page Summary
• RASP: Runtime Application Self Protection
• RASP is about prevention of exploitation
• RASP is not IAST, or some version of it
• RASP is a group of technologies
• Key criteria for evaluation
• What and how to inquire about RASP with your
vendors
Source: hiddenincatours.com
5. Runtime Application Self-Protection
• Gartner
• Category of technologies (not one)
• Vendors
• Products
• Feature sets
• Use cases
• Early days
• Technologies
• Agent-based
• VM instrumentation
• Library + network appliance
• Signatures
6. www.immun.io @immunio
Runtime Concepts • Usernames
• IPs
• HTTP Requests
Your Web
Application
Development
information
data
IT Ops
“Perimeter”
WAF
RASP
• Routes
• Stack traces
• Server Response
• Source code
• Methods
• Libraries
Who’s interacting
with me?
What am I about to execute?
What was I designed to do?
7. www.immun.io @immunio
Features
How vendors utilize technology
• Prevent Code injections, Cross-Site Scripting,
Directory Traversal etc.
• “Runtime portion of OWASP Top 10
• “Zero-day”
• Protect authentication service and user accounts
• Provide general security intelligence
• Layer 7 DDOS prevention
• Monitor critical business-specific events
8. www.immun.io @immunio
• Instantly reduce risk of exploitation
• In vulnerable, or outdated applications
• In applications for which you don’t have remediation resources
• In all mission critical web applications and web services
• Prevent account takeover and reduce time to detection of stolen
accounts
• Add security to rapid DevOps iterations
• Collect security intelligence on the application layer
Use Cases
What can you accomplish with RASP?
9. RASP is not a “version of IAST”
• Preventing exploitation in production vs. finding vulnerabilities in
development environment
• Production... we are talking about production…
• Different technology requirements and design challenges
• Performance
• Availability of service
• Data and privacy protection
10. www.immun.io @immunio
• Protection / Prevent exploitation
• Supported languages and frameworks
• Categories of vulnerabilities that are successfully
mitigated
• Availability of service / Avoid disruption of valid
business use
• Performance / Suitable for adoption in production
Key Evaluation Criteria
11. Adoption Challenges
• General awareness about applications security
• Appsec investment in general
• Remediation challenges
• Understanding of WAF limitations
• Maturity of technology and business processes
around RASP
• Procedures and actions based on application security
intelligence
• Runtime / ops data vs. vulnerabilities
• Roles and responsibilities Source: hiddenincatours.com
12. www.immun.io @immunio
•Evaluation plan
• Define evaluation criteria, applications and timeline
• Articulate business problem
•Get buy in / engage key stakeholders
• “Yes, we can build something like that ourselves, but we
shouldn’t” conversation
• “We already do static and dynamic scanning, have WAF, why
do we need “another solution” conversation”
•Communicate
• Feedback to vendor
• Stakeholders
Evaluating RASP
Source: cipa.icomos.org
There are great differences between individual solutions – differences in technologies and differences in solutions and use cases.
There are seven layers in total, each fulfilling its own purpose in a connected networking framework called the Open System Interconnection Model. The short version being referred to as the OSI Model.