In most organizations today, the most precious assets (if not the most precious asset) are their applications (and the data they handle). Yet those same organizations protect their applications only from the outside.
“Imagine a person who leaves his house always surrounded by bodyguards, because he cannot protect himself. He doesn’t have the skills or the muscles. That’s exactly what we have” with applications today, according to Joseph Feiman, analyst for Gartner.
“Strangely enough, though very logically, we protect applications from the outside only. We build all these firewalls around it expecting that these firewalls—the perimeter protection technologies or infrastructure protection technologies—will protect our applications. It’s not sufficient; it’s absolutely obvious.
“There is a huge hole in security,” Feiman continued. “The application itself cannot protect itself, so all we do is build more and more firewalls around it. We establish network firewalls, but that’s not enough. We establish an intrusion prevention system, and that’s not enough. We establish Web application firewalls, and still it’s not enough. We keep doing the very same things expecting that the results will be different. And that’s why we see this continuous success of hackers against our apps. An app cannot protect itself.”
Part of the problem with protecting applications from the perimeter is that the perimeter itself is shifting, blurring and even disappearing in certain scenarios. “It’s one thing when I’m working in an office, and we have a firewall, and, yes, it protects me,” Feiman said. “But when I work in a café, or take a train…to Washington D.C. or Boston, where’s the firewall? It’s non-existent.
“When my enterprise is no more just an on-premise enterprise, but parts of it are on-premise but many parts are on different clouds, where is the perimeter? The perimeter is dissipating. The more mobile and cloud [reliant] we become, the more the perimeter is dissipating. We are moving now toward another issue, toward the Internet of Things. Are we expecting that my dishwasher will have a firewall, as well as my heater or cooler? It’s hard to believe.”
Finally, there is the issue of internal attacks. Most of the technologies we’ve created to protect applications assume the threats will come from outsiders. “And yet we learned over the last several years, very damagingly to the United States for example, that the most dangerous hackers are not outsiders but insiders, and firewalls cannot protect you against Edward Snowden, who sits inside with permission to access applications,” said Feiman.
He began researching these issues some four years ago, and came to the conclusion that applications must protect themselves from all attacks. He has identified Runtime Application Software Protection as a way to accomplish that.
How RASP works
According to Feiman, “Applications today don’t run by themselves; they run on runtime platforms,” like a Java virtual machine or the .NET Common Language Runtime (CLR), or even Apache Tomcat Server or Microsoft IIS, which have a JVM and CLR implementation, respectively. “So you instrument these runtime platforms with an additional feature. They have multiple features, such as garbage collection, for example, or a debugger. You add one more, which is a feature that’s capable of watching data flow and logic flow. See data coming into the application, analyzing where they go, understanding that this is an attack, and stopping an attack just by stopping the execution of that thread of logic.”
Think of the RASP technology as an interceptor. Virtual machines are designed to execute every instruction they receive, whether it’s a calculation or access to a database. Adding RASP to the virtual machine makes it capable of analyzing data flow and logic flow to detect whether the input is malicious or not.
According to Feiman, these RASP-enabled virtual machines “can see data coming in a particular field—an entry field, for example, [or] the ID or password. They see data coming in there; typically it goes down and ends up as a SQL injection because nobody checks it. Now because it’s a part of the virtual machine, it checks the contents and structure of this request, and sees that is has SQL injection. This is a simplified explanation of how it works. If it sees it came from the data entry, which is supposed to have a password and ID, but it contains the actual script or language, which is SQL…it can simply stop it at the very last moment.
“It follows,” he continued, “that when it detects an entry point and sees what’s coming in the application, it can watch where it goes. The virtual machine loads pieces of the execution, and when it loads the SQL request and sees that data is there, and the data came from the user ID entry and it contains not a text but…instructions, it would not let this piece of virtual machine execute it. It can also warn you that it detected it. It can log it so you can see what happened and analyze later on, and it gives you an opportunity to run it into that diagnostic mode for as long you wish so you can be sure it works well.”
Feiman wrote in a September 2014 Gartner “Maverick” research note that three vendors are offering what they are calling RASP technology; another 13 are developing the technology.
Of the three extant offerings, from HP, instruments the application server, becoming an integral part of the runtime environment.
Prevoty implements RASP as a filter of the data input into in application, programmed as a Java servlet for Java applications or as an HTTP module for .NET applications.
Prevoty also offers an SDK that allows customization of the company’s RASP tool. The SDK calls, Feiman wrote, are recommended for programming at the application’s code location that receives data input from outside the application, where Prevoty RASP will sanitize malicious input. Both Prevoty solutions protect against persisted and reflected cross-site scripting, cross-site request forgery attacks, and input validation exploits. The SDK also offers protection against SQL injection.
A company called Waratek also has server-side RASP (implemented as instrumentation to the JVM) and creates a secure Java Virtual Container that provides a rules-based interface to manage and mitigate specific app security problems.
And while Feiman said that adding a RASP “layer” inside a Java VM could hurt an application’s performance by taking CPU cycles to execute the logic, he noted wryly that “We should remember these CPUs taken to execute this RASP logic are actually what your programmers should have done on their own to do verification of vulnerabilities and stopping them. But they’ll never do it. They’ve never done it before and they’ll never do it. That’s why RASP is taking care of what they will never do.”