Learn how RASP blocks potentially malicious activity while an application is in the software development lifecycle.
Rapid7研究:last + AIRuntime application self-protection (RASP) tools block potentially malicious activity while an application is in production. RASP在运行时监视公司的应用程序, 分析它的行为以及行为发生的环境. 如果RASP检测到安全事件,例如试图运行shell, 打开文件, 或者调用数据库, 它将自动尝试终止该操作.
RASP可以防止主要形式的 Web应用程序攻击 如 跨站点脚本(XSS) 和 SQL注入(SQLi) 以及企图接管账户和其他零日漏洞. RASP can also be beneficial to businesses with lean security resources because it can automatically block attacks on the spot without the need for human intervention.
随着对web应用程序的攻击不断增加, 企业发现正确保护所有应用程序是一项挑战, some of which may harbor vulnerabilities that were not identified or mitigated early on within the 软件开发生命周期 或者通过各种类型 应用程序安全测试. This is why including protection within the application itself helps companies better balance security requirements with the imperative to roll out apps in a timely manner.
One key benefit of RASP is that it can both detect 和 block attacks on applications in real time. 因为RASP在运行时在应用程序中发挥作用, 它可以看到应用程序的实际行为. 而不是基于分析预设签名或已知模式 常见的攻击,作为… web应用防火墙(WAF) RASP能够查找应用程序中发生的可疑操作吗.
这减少了误报和waf通常产生的噪声, alerting the security team to actual malicious activity so it doesn’t have to guess at the impact of r和om suspicious network events. 通过提供更准确的警报, RASP还使安全团队能够专注于战略安全优先事项. RASP还可以向用户发出警告, educating legitimate users that have unintentionally placed risky requests on why their request was denied.
因为RASP具有了解应用程序运行时上下文的优势, it can deliver security that is better tailored to the app’s specific requirements—all without requiring changes to the application code.
与web应用程序防火墙(waf)不同, which filter traffic 和 content at the perimeter but have no visibility into activities that may be taking place within the perimeter itself, RASP can still defend applications from an attack even after an attacker has breached perimeter defenses. 在一个日益复杂的环境中,多个端点可能会受到损害, 这对于组织的应用程序安全性来说是一项有价值的资产.
As Gartner 解释了, RASP is “a security technology that is built on or linked into an application runtime environment, 并且能够控制应用程序的执行, 检测和防止实时攻击.通常通过放置在服务器中的代理, RASP将安全检查添加到运行在那里的应用程序中. RASP then continually evaluates calls to these applications to ensure that they are safe 和 can proceed.
发生明显不安全的调用时, 例如,RASP介入并阻止了它, by terminating a suspicious user session or denying a request to execute a specific application. 这是应用程序层的额外安全层, particularly when combined with secure software development practices 和 other application security tools, 能够极大地加强组织的整体应用程序安全性吗. RASP can also give the security team timely 和 accurate alerts into real-time malicious actions as they are taking place in the application environment, 便于在发生袭击时迅速作出反应.
因为RASP不需要更改应用程序代码, it doesn’t affect application design—which means the company is free to continue developing 和 refining the application as needed. This may be especially beneficial in the event that a business is maintaining apps within its environment for the foreseeable future.
与WAF结合使用时, which typically excels at identifying patterns of suspicious activity originating from multiple sources 如 in a botnet attack, RASP可以提供对组织面临的实际威胁的有价值的实时洞察. 而WAF可以给你一个视图, 你需要更深入地了解什么在执行,才能看到全局.
RASP有时会与它的表亲混淆, web应用程序防火墙, 但这两种技术实际上是截然不同的. Whereas a WAF continually analyzes application traffic at the perimeter for potential malicious activity using static rules based on known forms of attack, RASP阻止恶意活动发生在应用程序本身.
A WAF will often require a learning period in order to be effective 和 still may not be nimble enough to fend off newer forms of attack that it has not seen before, leaving a business potentially vulnerable during the window of time when the WAF has not yet received new rules to combat the emerging threat. 一个粗声粗气地说, 然而, provides a far more adaptable real-time defense against a variety of attacks at the application layer.
因为RASP使用应用程序本身, it can still monitor 和 protect an application’s security even as it is continually updated 和 further developed. WAF和RASP可以相互补充, 结合各种力量,为企业提供更全面、更健壮的应用程序安全性. WAFs give you visibility of what kind of requests are being sent to the application (for instance, if someone has a suspicious request pattern 如 a bot brute-forcing a password or someone probing the application for vulnerabilities with a tool 如 Metasploit).
另一方面,RASP查看应用程序如何处理这些请求. 所以,如果有人使用 Metasploit, the app owner can see that an exploit has resulted in a file being written to where it should not be, 正在系统上运行的可执行文件, 未经授权的SQL访问, or some unintended assets being loaded on a web page browser-side that could result in data exfiltration.
以下是充分利用RASP解决方案的三个技巧:
RASP is great at fending off many forms of attack 如 cross-site scripting 和 SQL injection at runtime, but it should not be solely relied on for protecting a business against every application security threat that exists. 通过采用 DevSecOps approach in which security is moved leftward within the SDLC 和 making sure you have a comprehensive application security program in place, 你更有可能阻止袭击.
这取决于贵公司独特的安全要求, you may also opt to run a RASP solution with built-in WAF capabilities to maximize the advantages that both tools offer.
当你在评估RASP产品时, 考虑它如何与您已有的其他工具一起工作, 特别是DevSecOps系统. 高级RASP工具可能与您现有的工具集成 SIEM, DAST, 编制,例如票务系统. This integration allows your company to incorporate multiple threat intelligence feeds through APIs, web钩子, 领先的技术使您能够更好地实时监控和阻止威胁.
因为RASP与它所监视的应用程序集成得如此紧密, 它有时会导致性能问题. 如果这些问题严重到足以对用户产生影响, 他们可能会抱怨业绩的变化. 出于这个原因, it’s wise to carefully test your RASP solution to make sure you underst和 how it affects application performance before implementing it within your environment.
随着攻击者越来越多地瞄准应用程序, 对企业来说,全面采用是必不可少的, 保护客户数据的多层应用程序安全策略. RASP empowers companies to embed stronger application security checks directly within applications while they are in production, 实时准确检测并阻断潜在攻击. 出于这个原因, RASP can be a valuable part of an organization’s application security toolkit.