Debunking Myths Around RASP

By July 19, 2019 News

Devops.com

Runtime application self-protection (RASP) has taken a fair bit of scrutiny over the last few years. Like many security technologies that pioneer new ways of tackling old problems, people inherently don’t like change. Several companies entered the space early and early adopters helped mature various RASP solutions on the market and the technology has advanced rapidly.

When applications began to be the favored target of bad guys, tons of companies started to reposition their perimeter security products closer to the application. Web application firewalls (WAFs) are similar to IPS for the network, so easy mind shift for most security practitioners. The problem is they require you to know your adversary. That’s like asking a security guard to keep out a single troublemaker, while letting in their associated gang of thugs.

As we saw recently with WebLogic, exploiting applications is a shell game. When one vulnerability is exposed and patched, another one, which shares the same modus operandi, comes out. When reports came out comparing the most recent WebLogic vulnerability to vulnerabilities found last year in CVE-2018-2628, CVE-2018-2893 and CVE-2017-10271, Oracle posted a blog explaining last year’s vulnerabilities had been patched. The problem was the underlying code mechanism that led to the above-mentioned CVEs (insecure deserialization) had not been fixed.

Read the full article here.

 

John Adams

Author John Adams

John Adams, Waratek CEO, is a veteran of the security and medical technology sectors with experience in executive management, global sales & product development. Adams has both startup and public company experience, having served as President & COO of Atlanta-based SecurAmerica and SVP N. America for London-based G4S (formerly Securicor) as well as a Sr. executive at US Surgical Corporation and MedLine Industries.

More posts by John Adams
X