RASP protects applications from within during runtime. Unlike WAFs that sit in front of your app, RASP instruments the application itself to detect and block attacks.
Traditional WAF:
┌─────────┐ ┌─────────┐ ┌─────────────┐
│ Request │ ──▶ │ WAF │ ──▶ │ Application │
└─────────┘ └─────────┘ └─────────────┘
│
(Pattern matching)
RASP:
┌─────────┐ ┌───────────────────────────────┐
│ Request │ ──▶ │ Application │
└─────────┘ │ ┌─────────────────────────┐ │
│ │ RASP Agent (Embedded) │ │
│ │ • Monitors execution │ │
│ │ • Blocks attacks │ │
│ │ • Has runtime context │ │
│ └─────────────────────────┘ │
└───────────────────────────────┘
| Aspect |
WAF |
RASP |
| Position |
Network perimeter |
Inside application |
| Context |
HTTP layer only |
Full runtime context |
| False positives |
Higher |
Lower |
| Bypass resistance |
Lower |
Higher |
| Performance impact |
Low |
Medium |
| Deployment |
Network config |
Code/agent integration |
| Visibility |
Limited |
Complete |
| Attack Type |
How RASP Detects It |
| SQL Injection |
Monitors database driver calls for injected SQL |
| Command Injection |
Intercepts OS exec calls with tainted input |
| Path Traversal |
Tracks file operations with user-controlled paths |
| XXE |
Monitors XML parser for external entity loading |
| Deserialization |
Blocks dangerous class instantiation |
| SSRF |
Validates HTTP client calls against whitelist |
| Tool |
Language |
Type |
| OpenRASP (Baidu) |
Java, PHP, Node.js |
Agent-based |
| Sqreen (acquired) |
Python, Node.js, Ruby |
SaaS + Agent |
| ModSecurity (with CRS) |
Any (reverse proxy) |
WAF/RASP hybrid |
| Tool |
Languages |
Features |
| Contrast Security |
Java, .NET, Node, Python, Go, Ruby |
Full RASP + IAST |
| Imperva RASP |
Java, .NET |
Enterprise scale |
| Signal Sciences (Fastly) |
Any (module) |
WAF + RASP |
| Dynatrace AppSec |
Java, .NET, Node, PHP, Go |
APM + Security |
wget https://github.com/baidu/openrasp/releases/download/v1.3.7/rasp-java.tar.gz
tar -xzf rasp-java.tar.gz
java -jar RaspInstall.jar -install /path/to/tomcat
security:
sql:
policy: log
command:
policy: block
file:
policy: log
xxe:
policy: block
whitelist:
sql:
- "SELECT * FROM users WHERE id = ?"
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
template:
spec:
containers:
- name: app
image: my-app:latest
env:
- name: JAVA_TOOL_OPTIONS
value: "-javaagent:/rasp/rasp.jar"
volumeMounts:
- name: rasp-agent
mountPath: /rasp
initContainers:
- name: rasp-init
image: rasp-agent:latest
command: ['cp', '/agent/rasp.jar', '/rasp/']
volumeMounts:
- name: rasp-agent
mountPath: /rasp
volumes:
- name: rasp-agent
emptyDir: {}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: rasp-alerts
spec:
groups:
- name: rasp
rules:
- alert: RASPAttackBlocked
expr: increase(rasp_attacks_blocked_total[5m]) > 10
for: 1m
labels:
severity: warning
annotations:
summary: "High number of attacks blocked by RASP"
| Scenario |
Recommendation |
| High-value applications |
Use RASP + WAF |
| Regulatory compliance |
RASP provides deep visibility |
| Legacy applications |
WAF may be easier |
| Microservices |
Consider service mesh + RASP |
| Development/staging |
Use in monitoring mode |
| Production |
Start with logging, graduate to blocking |
- Start in monitoring mode: Log attacks before blocking
- Tune for your app: Whitelist legitimate patterns
- Monitor performance: RASP adds overhead (~2-5% CPU)
- Integrate with SIEM: Feed RASP logs to security monitoring
- Layer defenses: Use RASP alongside WAF, not instead of
In the next module, we'll tackle secrets management and infrastructure security.
:::
