As an former engineer, I am biased towards getting excited around toys that blink, light up, and are otherwise technically advanced and “cool”. There are lots of us in the security world. As long as I can remember I’ve been into technology, and I’m willing to bet, so have you.
While this bias can be advantageous to a security person’s ability to learn and rapidly understand new technology, it can also lead to expenditures on new technologies that really don’t provide enough business value to warrant purchase. You have to be careful where you spend your limited security budget and make sure that the technology you are purchasing actually provides security value for your organization. Invest in technologies that make your security posture and business better, regardless of the level of hype. Invest in business value.
The Business Value of RASP
The term RASP (Runtime Application Self Protection) was coined by Gartner Research way back in 2012, establishing a market that has recently become a valuable way to secure your web applications in production. Like most emerging technologies, it took five years and required significant changes in the technology landscape to gain traction with buyers. It wasn’t just the innovation of placing runtime security directly into your application that allowed RASP to become successful, the technology rode on the back of the shift to agile development, cloud deployments, and the rise of DevOps before becoming mainstream. Enterprises had to feel the pain and difficulty of securing modern web applications before searching for alternatives to the old and failed methods of protection.
As with any technology, there is always a problem of scale that must be solved. RASP’s problem of scale is the number and type of languages or runtimes that it supports. If you can’t support all of the applications that are in use in the enterprise, the deployment value of the RASP decreases drastically. That is the biggest drawback to RASP as an isolated technology, it works only on certain languages and runtimes, and most RASP only vendors don’t understand the breadth of security coverage that practitioners require.
Don’t Fall In Love With A One Trick Pony
It’s one thing to perfectly support the one enterprise app that is outward facing, written in Java, and runs in Apache with a MongoDB back end. Protecting that one application has value, but most organizations have hundreds of applications with a variety of languages and architectures. The value of a security technology drastically changes when it can offer security for any application that you build regardless of the technology stack, physical location, and languages in use. That’s HIGH value.
When looking into RASP technologies you have to take into account the number of languages and runtimes that it supports, which of those you run throughout your business, and how you can leverage the purchase of this protection technology to go well beyond a single technology stack. The reality is that enterprises have multiple technology stacks and they use those disparate technologies in a multitude of deployment locations including on premise, cloud, PaaS, microservice, and API models.
This specifically is why Signal Sciences created a Web Protection Platform (WPP). Signal Sciences WPP includes a next generation web application firewall (NGWAF) as well as RASP deployment options allowing our customers the ability to protect their entire production application portfolio regardless of language or infrastructure choices.
The Signal Sciences RASP supports C# and .Net, PHP, Python, Ruby, and Java/JVM. However we don’t stop at just those languages and runtimes. The Signal Sciences NGWAF deployment model works in all modern servers, platforms and infrastructures. We support all modern web server types and can work in your own data center, as well as in Amazon, Pivotal PaaS, Azure, Google Compute and others.
By giving our customers a menu of choice on how they wish to deploy, and delivering on security visibility and protection equally in all models, our customers are able to protect their entire application infrastructure and not just one or two apps in pre-production. Enterprises must look for technologies that go way beyond just a WAF or RASP in isolation. Invest in a complete web protection platform that gives you flexibility in your security coverage.