Applications currently delegate most of their runtime security protection to external devices, typically to network-located firewalls and intrusion prevention systems (IPSs) of different kinds.
The protection capabilities of these external devices can be insufficient, because they lack insight into application logic, configuration, and data and event flows, which are critical for detecting and deterring attacks with the necessary high accuracy.
Applications can be better protected when they possess self-protection capabilities built into their runtime environments, which have full insight into application logic, configuration, and data and event flows.
Runtime application self-protection (RASP) technology is emerging to offer these capabilities and fulfil these demands.
Recommendations for security professionals:
At Type A enterprises (aggressive and skillful technology adopters), consider RASP adoption in 2012 and 2013. At Type B and Type C enterprises (mainstream and conservative technology adopters), consider RASP adoption within the next three to five years.
Read more about intelligence-led security
Request application security vendors – especially dynamic application security testing (DAST), static application security testing (SAST), interactive application security testing (IAST), and Web application firewall (WAF) vendors — to deliver RASP technology, and make RASP an important criterion when selecting any of these technologies.
Request application platform and application security vendors to automate and simplify RASP installation and management – a critical issue for success in RASP adoption.
Make sure RASP is installed and operational on each runtime environment that should be protected, and tested for stability and performance.
Use RASP, WAF, or both, as they are dedicated application protection technologies (though with their own strengths and challenges).
Joseph Feiman is a research vice-president and fellow at Gartner.
This was first published in June 2012