From the Frontlines of RASP Adoption
Boston OWASP meetupSeptember 28, 2016
www.immun.io @immunio
About the Presenter
‣Goran Begic‣@gbegicw
‣VP of Product at IMMUNIO
2
‣Favorite Topics‣ Application Security / SAST, DAST, IAST, RASP…. ‣ Product Management / Marketing‣ Customer Success‣ Innovation‣ SaaS / B2B
‣Past Experience‣ Veracode, SmartBear, MathWorks, IBM, Rational
Software
www.immun.io @immunio
Automatic detection and protection against app security vulnerabilities
‣ Formed in 2013
‣ Patented Technology
‣ HQ in Montreal, Canada
3
Customers:
About IMMUNIO
www.immun.io @immunio
1 Page Summary• RASP: Runtime Application Self Protection
• RASP is about prevention of exploitation
• RASP is not IAST, or some version of it
• RASP is a group of technologies
• Key criteria for evaluation
• What and how to inquire about RASP with your vendors
Source: hiddenincatours.com
Runtime Application Self-Protection
• Gartner• Category of technologies (not one)
• Vendors• Products• Feature sets• Use cases
• Early days
• Technologies• Agent-based• VM instrumentation• Library + network appliance• Signatures
www.immun.io @immunio
Runtime Concepts • Usernames• IPs• HTTP Requests
Your Web ApplicationDevelopment
information
data
IT Ops
“Perimeter”
WAFRASP
• Routes• Stack traces• Server Response
• Source code• Methods• Libraries
Who’s interacting with
me?
What am I about to execute?
What was I designed to do?
www.immun.io @immunio
FeaturesHow vendors utilize technology
• Prevent Code injections, Cross-Site Scripting, Directory Traversal etc.• “Runtime portion of OWASP Top 10• “Zero-day”
• Protect authentication service and user accounts
• Provide general security intelligence
• Layer 7 DDOS prevention
• Monitor critical business-specific events
www.immun.io @immunio
• Instantly reduce risk of exploitation• In vulnerable, or outdated applications• In applications for which you don’t have remediation
resources• In all mission critical web applications and web services
• Prevent account takeover and reduce time to detection of stolen accounts
• Add security to rapid DevOps iterations• Collect security intelligence on the application layer
Use CasesWhat can you accomplish with RASP?
RASP is not a “version of IAST”
• Preventing exploitation in production vs. finding vulnerabilities in development environment
• Production... we are talking about production… • Different technology requirements and design challenges
• Performance• Availability of service• Data and privacy protection
www.immun.io @immunio
• Protection / Prevent exploitation• Supported languages and frameworks• Categories of vulnerabilities that are
successfully mitigated
• Availability of service / Avoid disruption of valid business use
• Performance / Suitable for adoption in production
Key Evaluation Criteria
Adoption Challenges• General awareness about applications
security• Appsec investment in general• Remediation challenges• Understanding of WAF limitations
• Maturity of technology and business processes around RASP
• Procedures and actions based on application security intelligence
• Runtime / ops data vs. vulnerabilities• Roles and responsibilities
Source: hiddenincatours.com
www.immun.io @immunio
•Evaluation plan• Define evaluation criteria, applications and timeline• Articulate business problem
•Get buy in / engage key stakeholders• “Yes, we can build something like that ourselves, but
we shouldn’t” conversation• “We already do static and dynamic scanning, have
WAF, why do we need “another solution” conversation”
•Communicate• Feedback to vendor• Stakeholders
Evaluating RASP
Source: cipa.icomos.org
www.immun.io @immunio
Questions
• Contact: @gbegicw