Thursday, May 26, 2022

Is Runtime Application Self-Protection the key ingredient for more secure software development?

One the challenges of embracing agile development and taking a DevOps approach to IT is incorporating security in such a way that it does not become a barrier to rapid, iterative release cycles.

A new report by information security and research firm Securosis, “Understanding and Selecting Runtime Application Security and Protection,” explores how DevOps teams are addressing today’s current application security issues and where the Runtime Application Self-Protection (RASP) model can provide immediate and measurable benefits within the agile development process.

Just as DevOps has developers supporting the applications they develop, RASP is gaining traction as a way to integrate development with security. Mike Milner, co-founder and CTO of Montreal-based Immunio, said the company was founded two-and-half years ago in recognition of that shift, as well as the reality that web application security is difficult to do well. “It’s difficulty for companies to maintain expertise.”

RASP is a term initially coined in a 2012 Gartner report titled Runtime Application Self-Protection: A Must-Have, Emerging Security Technology; since Immunio’s launch, the company has focused on making web application security easier via the model. With other players coming into the market, said Milner, the concept is starting to mature. “We feel the technology is coming into its own.”

How enterprises are using RASP varies quite a but, he said. Some organizations are already doing agile and DevOps. “They’re having trouble meshing it with their existing security requirements. RASP works well for them.” Milner said it allows for better integration and feedback loops. “It provides the immediate benefit they are looking for.”

At the other end of the spectrum are organizations that have existing web applications that don’t have the best security protection and there are challenges integrating them well with their firewall. “They are looking for a step change in security they can deploy a cross range of applications,” said Milner. “They are looking to deploy RASP across the organization for baseline protection. These evaluations tend to be a little slower.”

Traditionally, developers would build a web application and then it would be up to a separate set of developers or a network security team to make sure it worked with the security parameters of the organization. “Every new deployment of an application needs an update to the firewall,” said Milner. This makes deployment slow and puts a wrench into rapid development. “It doesn’t make as much sense in a rapid release environment to have separate teams.”

Some organizations have seen RASP as a means for transformative change, he said, and the Securosis report provides those interesting learning more how it fits within the bigger picture, and also provides guidance on what questions need to be asked of a potential RASP provider.

Milner said it’s also important to remember that RASP is not a replacement for a security tool; what it does is allow for better integration and protection in real time. As the Securosis reports notes,

“For [DevOps] teams, security products must do more than address application security issues; they need to mesh with continuous integration and continuous deployment approaches, while offering automated capabilities and better integration with developer tools.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Gary Hilson
Gary Hilson
Gary Hilson is a Toronto-based freelance writer who has written thousands of words for print and pixel in publications across North America. His areas of interest and expertise include software, enterprise and networking technology, memory systems, green energy, sustainable transportation, and research and education. His articles have been published by EE Times, SolarEnergy.Net, Network Computing, InformationWeek, Computing Canada, Computer Dealer News, Toronto Business Times and the Ottawa Citizen, among others.

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.