from the frontline of rasp adoption

From the Frontlines of RASP Adoption

Boston OWASP meetupSeptember 28, 2016

www.immun.io @immunio

About the Presenter

‣Goran Begic‣@gbegicw

‣VP of Product at IMMUNIO

2

‣Favorite Topics‣ Application Security / SAST, DAST, IAST, RASP…. ‣ Product Management / Marketing‣ Customer Success‣ Innovation‣ SaaS / B2B

‣Past Experience‣ Veracode, SmartBear, MathWorks, IBM, Rational

Software


Automatic detection and protection against app security vulnerabilities

‣ Formed in 2013

‣ Patented Technology

‣ HQ in Montreal, Canada

3

Customers:

About IMMUNIO


1 Page Summary• RASP: Runtime Application Self Protection

• RASP is about prevention of exploitation

• RASP is not IAST, or some version of it

• RASP is a group of technologies

• Key criteria for evaluation

• What and how to inquire about RASP with your vendors

Source: hiddenincatours.com

Runtime Application Self-Protection

• Gartner• Category of technologies (not one)

• Vendors• Products• Feature sets• Use cases

• Early days

• Technologies• Agent-based• VM instrumentation• Library + network appliance• Signatures


Runtime Concepts • Usernames• IPs• HTTP Requests

Your Web ApplicationDevelopment

information

data

IT Ops

“Perimeter”

WAFRASP

• Routes• Stack traces• Server Response

• Source code• Methods• Libraries

Who’s interacting with

me?

What am I about to execute?

What was I designed to do?


FeaturesHow vendors utilize technology

• Prevent Code injections, Cross-Site Scripting, Directory Traversal etc.• “Runtime portion of OWASP Top 10• “Zero-day”

• Protect authentication service and user accounts

• Provide general security intelligence

• Layer 7 DDOS prevention

• Monitor critical business-specific events


• Instantly reduce risk of exploitation• In vulnerable, or outdated applications• In applications for which you don’t have remediation

resources• In all mission critical web applications and web services

• Prevent account takeover and reduce time to detection of stolen accounts

• Add security to rapid DevOps iterations• Collect security intelligence on the application layer

Use CasesWhat can you accomplish with RASP?

RASP is not a “version of IAST”

• Preventing exploitation in production vs. finding vulnerabilities in development environment

• Production... we are talking about production… • Different technology requirements and design challenges

• Performance• Availability of service• Data and privacy protection


• Protection / Prevent exploitation• Supported languages and frameworks• Categories of vulnerabilities that are

successfully mitigated

• Availability of service / Avoid disruption of valid business use

• Performance / Suitable for adoption in production

Key Evaluation Criteria

Adoption Challenges• General awareness about applications

security• Appsec investment in general• Remediation challenges• Understanding of WAF limitations

• Maturity of technology and business processes around RASP

• Procedures and actions based on application security intelligence

• Runtime / ops data vs. vulnerabilities• Roles and responsibilities

Source: hiddenincatours.com


•Evaluation plan• Define evaluation criteria, applications and timeline• Articulate business problem

•Get buy in / engage key stakeholders• “Yes, we can build something like that ourselves, but

we shouldn’t” conversation• “We already do static and dynamic scanning, have

WAF, why do we need “another solution” conversation”

•Communicate• Feedback to vendor• Stakeholders

Evaluating RASP

Source: cipa.icomos.org


Questions

• Contact: @gbegicw