Dynamic Testing & Runtime Security
Runtime Application Self-Protection (RASP)
3 min read
RASP protects applications from within during runtime. Unlike WAFs that sit in front of your app, RASP instruments the application itself to detect and block attacks.
How RASP Works
Traditional WAF:
┌─────────┐ ┌─────────┐ ┌─────────────┐
│ Request │ ──▶ │ WAF │ ──▶ │ Application │
└─────────┘ └─────────┘ └─────────────┘
│
(Pattern matching)
RASP:
┌─────────┐ ┌───────────────────────────────┐
│ Request │ ──▶ │ Application │
└─────────┘ │ ┌─────────────────────────┐ │
│ │ RASP Agent (Embedded) │ │
│ │ • Monitors execution │ │
│ │ • Blocks attacks │ │
│ │ • Has runtime context │ │
│ └─────────────────────────┘ │
└───────────────────────────────┘
RASP vs WAF
| Aspect | WAF | RASP |
|---|---|---|
| Position | Network perimeter | Inside application |
| Context | HTTP layer only | Full runtime context |
| False positives | Higher | Lower |
| Bypass resistance | Lower | Higher |
| Performance impact | Low | Medium |
| Deployment | Network config | Code/agent integration |
| Visibility | Limited | Complete |
What RASP Protects Against
| Attack Type | How RASP Detects It |
|---|---|
| SQL Injection | Monitors database driver calls for injected SQL |
| Command Injection | Intercepts OS exec calls with tainted input |
| Path Traversal | Tracks file operations with user-controlled paths |
| XXE | Monitors XML parser for external entity loading |
| Deserialization | Blocks dangerous class instantiation |
| SSRF | Validates HTTP client calls against whitelist |
RASP Solutions
Open Source
| Tool | Language | Type |
|---|---|---|
| OpenRASP (Baidu) | Java, PHP, Node.js | Agent-based |
| Sqreen (acquired) | Python, Node.js, Ruby | SaaS + Agent |
| ModSecurity (with CRS) | Any (reverse proxy) | WAF/RASP hybrid |
Commercial
| Tool | Languages | Features |
|---|---|---|
| Contrast Security | Java, .NET, Node, Python, Go, Ruby | Full RASP + IAST |
| Imperva RASP | Java, .NET | Enterprise scale |
| Signal Sciences (Fastly) | Any (module) | WAF + RASP |
| Dynatrace AppSec | Java, .NET, Node, PHP, Go | APM + Security |
Implementing RASP: OpenRASP Example
Java Agent Installation
# Download OpenRASP
wget https://github.com/baidu/openrasp/releases/download/v1.3.7/rasp-java.tar.gz
tar -xzf rasp-java.tar.gz
# Install to Java application
java -jar RaspInstall.jar -install /path/to/tomcat
Configuration
# openrasp/conf/openrasp.yml
security:
sql:
# Monitor all SQL queries
policy: log # log, block
command:
# Block command injection
policy: block
file:
# Monitor file operations
policy: log
xxe:
# Block XXE attacks
policy: block
# Whitelist trusted operations
whitelist:
sql:
- "SELECT * FROM users WHERE id = ?"
RASP in Container Environments
Kubernetes Sidecar Pattern
# deployment.yaml with RASP sidecar
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
template:
spec:
containers:
- name: app
image: my-app:latest
env:
- name: JAVA_TOOL_OPTIONS
value: "-javaagent:/rasp/rasp.jar"
volumeMounts:
- name: rasp-agent
mountPath: /rasp
initContainers:
- name: rasp-init
image: rasp-agent:latest
command: ['cp', '/agent/rasp.jar', '/rasp/']
volumeMounts:
- name: rasp-agent
mountPath: /rasp
volumes:
- name: rasp-agent
emptyDir: {}
RASP Monitoring and Alerting
# Alert on RASP blocks
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: rasp-alerts
spec:
groups:
- name: rasp
rules:
- alert: RASPAttackBlocked
expr: increase(rasp_attacks_blocked_total[5m]) > 10
for: 1m
labels:
severity: warning
annotations:
summary: "High number of attacks blocked by RASP"
When to Use RASP
| Scenario | Recommendation |
|---|---|
| High-value applications | Use RASP + WAF |
| Regulatory compliance | RASP provides deep visibility |
| Legacy applications | WAF may be easier |
| Microservices | Consider service mesh + RASP |
| Development/staging | Use in monitoring mode |
| Production | Start with logging, graduate to blocking |
Best Practices
- Start in monitoring mode: Log attacks before blocking
- Tune for your app: Whitelist legitimate patterns
- Monitor performance: RASP adds overhead (~2-5% CPU)
- Integrate with SIEM: Feed RASP logs to security monitoring
- Layer defenses: Use RASP alongside WAF, not instead of
In the next module, we'll tackle secrets management and infrastructure security. :::