RASP (Runtime Application Self-Protection) is a new concept aiming at revolutionizing application security. This presentation is a envisioned as a guide for early adopters and technology evaluators.

1. From the Frontlines of RASP
Adoption
Boston OWASP meetup
September 28, 2016

2. www.immun.io @immunio
About the Presenter
‣Goran Begic
‣@gbegicw
‣VP of Product at IMMUNIO
2
‣Favorite Topics
‣ Application Security / SAST, DAST, IAST, RASP….
‣ Product Management / Marketing
‣ Customer Success
‣ Innovation
‣ SaaS / B2B
‣Past Experience
‣ Veracode, SmartBear, MathWorks, IBM, Rational
Software

3. www.immun.io @immunio
Automatic detection and protection against
app security vulnerabilities
‣ Formed in 2013
‣ Patented Technology
‣ HQ in Montreal, Canada
3
Customers:
About IMMUNIO

4. www.immun.io @immunio
1 Page Summary
• RASP: Runtime Application Self Protection
• RASP is about prevention of exploitation
• RASP is not IAST, or some version of it
• RASP is a group of technologies
• Key criteria for evaluation
• What and how to inquire about RASP with your
vendors
Source: hiddenincatours.com

5. Runtime Application Self-Protection
• Gartner
• Category of technologies (not one)
• Vendors
• Products
• Feature sets
• Use cases
• Early days
• Technologies
• Agent-based
• VM instrumentation
• Library + network appliance
• Signatures

6. www.immun.io @immunio
Runtime Concepts • Usernames
• IPs
• HTTP Requests
Your Web
Application
Development
information
data
IT Ops
“Perimeter”
WAF
RASP
• Routes
• Stack traces
• Server Response
• Source code
• Methods
• Libraries
Who’s interacting
with me?
What am I about to execute?
What was I designed to do?

7. www.immun.io @immunio
Features
How vendors utilize technology
• Prevent Code injections, Cross-Site Scripting,
Directory Traversal etc.
• “Runtime portion of OWASP Top 10
• “Zero-day”
• Protect authentication service and user accounts
• Provide general security intelligence
• Layer 7 DDOS prevention
• Monitor critical business-specific events

8. www.immun.io @immunio
• Instantly reduce risk of exploitation
• In vulnerable, or outdated applications
• In applications for which you don’t have remediation resources
• In all mission critical web applications and web services
• Prevent account takeover and reduce time to detection of stolen
accounts
• Add security to rapid DevOps iterations
• Collect security intelligence on the application layer
Use Cases
What can you accomplish with RASP?

9. RASP is not a “version of IAST”
• Preventing exploitation in production vs. finding vulnerabilities in
development environment
• Production... we are talking about production…
• Different technology requirements and design challenges
• Performance
• Availability of service
• Data and privacy protection

10. www.immun.io @immunio
• Protection / Prevent exploitation
• Supported languages and frameworks
• Categories of vulnerabilities that are successfully
mitigated
• Availability of service / Avoid disruption of valid
business use
• Performance / Suitable for adoption in production
Key Evaluation Criteria

11. Adoption Challenges
• General awareness about applications security
• Appsec investment in general
• Remediation challenges
• Understanding of WAF limitations
• Maturity of technology and business processes
around RASP
• Procedures and actions based on application security
intelligence
• Runtime / ops data vs. vulnerabilities
• Roles and responsibilities Source: hiddenincatours.com

12. www.immun.io @immunio
•Evaluation plan
• Define evaluation criteria, applications and timeline
• Articulate business problem
•Get buy in / engage key stakeholders
• “Yes, we can build something like that ourselves, but we
shouldn’t” conversation
• “We already do static and dynamic scanning, have WAF, why
do we need “another solution” conversation”
•Communicate
• Feedback to vendor
• Stakeholders
Evaluating RASP
Source: cipa.icomos.org

13. www.immun.io @immunio
Questions
• Contact: @gbegicw