运行时应用程序自我保护(RASP)工具在应用程序处于生产状态时阻止潜在的恶意活动. RASP watches a company’s application at runtime, analyzing its behavior as well as the context in which the behavior occurs. If RASP detects a security event 如 an attempt to run a shell, 打开文件, 或者调用数据库, it will automatically attempt to terminate that action.
RASP可以防止主要形式的 Web应用程序攻击 如 跨站点脚本(XSS) 和 SQL注入(SQLi) as well as attempted account takeovers 和 other zero-day exploits. RASP对于拥有精益安全资源的企业也很有用,因为它可以在不需要人工干预的情况下自动阻止攻击.
As attacks on web applications continue to rise, businesses are finding it challenging to properly safeguard all of their applications, 其中一些可能包含未在早期识别或减轻的漏洞 软件开发生命周期 或者通过各种类型 应用程序安全测试. 这就是为什么在应用程序本身中包含保护可以帮助公司更好地平衡安全需求和及时推出应用程序的必要性.
RASP的一个关键优点是它可以实时检测和阻止对应用程序的攻击. Because RASP instruments in the application at runtime, it has visibility into the application’s actual behavior. Instead of analyzing preset signatures or known patterns based on 常见的攻击,作为… web应用防火墙(WAF) would, RASP can look for suspicious actions that are taking place in the application.
This cuts down on false positives 和 the noise typically generated by WAFs, 提醒安全团队注意实际的恶意活动,使其不必猜测随机可疑网络事件的影响. 通过提供更准确的警报, RASP also frees the security team to focus on strategic security priorities. RASP还可以向用户发出警告, 教育那些无意中提出危险请求的合法用户,告诉他们请求被拒绝的原因.
Since RASP has the benefit of knowing an application’s runtime context, 它可以提供更适合应用程序特定需求的安全性——所有这些都不需要更改应用程序代码.
与web应用程序防火墙(waf)不同, 哪一种对边界上的流量和内容进行过滤,但对可能在边界内发生的活动没有可见性, 即使在攻击者突破外围防御之后,RASP仍然可以保护应用程序免受攻击. In an increasingly complex environment with multiple endpoints that could be compromised, this can be a valuable asset to an organization’s application security.
As Gartner 解释了, RASP是“构建在应用程序运行时环境上或链接到应用程序运行时环境中的安全技术”, 和 is capable of controlling application execution, 和 detecting 和 preventing real-time attacks.” Often via an agent placed into the server, RASP adds security checks into applications that are running there. 然后,RASP不断评估对这些应用程序的调用,以确保它们是安全的,并且可以继续进行.
发生明显不安全的调用时, 例如,RASP介入并阻止了它, 通过终止可疑用户会话或拒绝执行特定应用程序的请求. This extra layer of security at the application layer, 特别是当与安全软件开发实践和其他应用程序安全工具相结合时, can greatly strengthen an organization’s overall application security. RASP还可以在应用程序环境中发生实时恶意操作时向安全团队提供及时准确的警报, facilitating rapid response in the event of an attack.
Since RASP doesn't require changes to the application code, 它不会影响应用程序设计——这意味着公司可以根据需要自由地继续开发和改进应用程序. 如果企业在可预见的未来在其环境中维护应用程序,这可能特别有益.
与WAF结合使用时, 在识别来自多个来源的可疑活动模式(如僵尸网络攻击)方面,哪种模式通常表现出色, a RASP can deliver valuable real-time insight into actual threats that an organization faces. 而WAF可以给你一个视图, you need more insight into what’s executing to see the whole picture.
RASP sometimes gets confused with its cousin, web应用程序防火墙, but these two technologies are actually distinct from one another. 而WAF则使用基于已知攻击形式的静态规则,持续分析外围的应用程序流量,以查找潜在的恶意活动, RASP blocks malicious activity from occurring within the application itself.
WAF通常需要一段学习时间才能有效,但仍然可能不够灵活,无法抵御以前从未见过的新形式的攻击, 在WAF尚未收到打击新威胁的新规则的时间窗口期内,企业可能会受到攻击. 一个粗声粗气地说, 然而, 针对应用层的各种攻击提供适应性更强的实时防御.
因为RASP使用应用程序本身, 它仍然可以监视和保护应用程序的安全性,即使它不断更新和进一步开发. WAF和RASP可以相互补充, combining forces to provide a business with more comprehensive 和 robust application security. waf使您能够看到发送到应用程序的请求类型(例如, 如果有人有可疑的请求模式,比如机器人暴力破解密码,或者有人用Metasploit等工具探测应用程序的漏洞).
RASP, on the other h和, looks at what the application is doing with those requests. 所以,如果有人使用 Metasploit, 应用程序所有者可以看到一个漏洞导致文件被写入到它不应该在的地方, 正在系统上运行的可执行文件, 未经授权的SQL访问, 或者一些意想不到的资源被加载到网页浏览器端,这可能导致数据泄露.
Here are three tips to make the most out of a RASP solution:
RASP非常善于抵御多种形式的攻击,例如跨站点脚本和运行时的SQL注入, 但是不应该仅仅依靠它来保护企业免受存在的所有应用程序安全威胁. 通过采用 DevSecOps 在这种方法中,安全性在SDLC中向左移动,并确保您有一个全面的应用程序安全性计划, you st和 a far better chance of preventing an attack.
Depending on your company’s unique security requirements, 您还可以选择运行具有内置WAF功能的RASP解决方案,以最大限度地发挥这两个工具提供的优势.
当你在评估RASP产品时, consider how it may work with other tools you already have in place, 特别是DevSecOps系统. An advanced RASP tool might integrate with your existing SIEM, DAST, 编制,例如票务系统. 这种集成允许您的公司通过api合并多个威胁情报馈送, web钩子, 和 leading technologies so you can better monitor 和 block threats in real time.
Because RASP integrates so closely with the applications it monitors, it can sometimes cause performance issues. If these issues are significant enough to have an impact on the users, they may complain about the change in performance. 出于这个原因, 明智的做法是仔细测试您的RASP解决方案,以确保在您的环境中实现它之前了解它是如何影响应用程序性能的.
With attackers increasingly targeting applications, it’s essential for businesses to adopt comprehensive, multi-layered application security strategies that safeguard customer data. RASP使公司能够在生产中的应用程序中直接嵌入更强的应用程序安全检查, accurately detecting 和 blocking potential attacks in real time. 由于这个原因,RASP可以成为组织的应用程序安全工具包的一个有价值的部分.