Building Better Security (8): RASP

I've been sharing ideas on how to build security into your development process. An important step in the development process is testing.

There are many techniques used in security testing. It's useful to understand the different approaches, and their advantages and disadvantages. So far we've looked at SAST, DAST and IASP. (I've included the links at the bottom, in case you missed any.)

This week we look at Runtime Application Self-Protection, aka RASP.

What is Runtime Application Self-Protection?

You may have heard of a Web Application Firewall or WAF. Think of a WAF as a security fence between the web application and the Internet. It protects the application by filtering and monitoring the HTTP traffic. But if an intruder gets over the fence, then the WAF can no longer protect the application.

RASP is built on the idea that an application should be able to protect itself, instead of relying on a WAF. It's like bundling a WAF inside the application's runtime context.

How does it work?

RASP technology runs on a server. It kicks in when an application runs, because it is designed to detect attacks in real time.

RASP analyses both the app's behaviour, and the context of that behaviour. It intercepts all calls from the app to a system, making sure they're secure. It also validates data requests inside the app.

When a security event occurs, RASP takes control of the app. It can address the problem in various ways. In diagnostic mode, RASP will sound an alarm. In protection mode, it will try to stop the attack. It might terminate a user's session, stop the execution of the application, or send an alert. It identifies and addresses attacks immediately, without waiting for human intervention.

You can implement RASP in different ways. Developers can include the security through function calls, and decide exactly what to protect. For applications that are not actively under development, you can secure the entire application inside a RASP wrapper.

Advantages of RASP

  • RASP can secure a system after the attacker has penetrated the perimeter defences.
  • Because it runs inside the application, RASP can distinguish between actual attacks and legitimate requests for information. This improves accuracy and reduces false positives.
  • It provides better information about what is happening during an attack. This makes it easier to fix the vulnerability.

These advantages give developers more time to focus on actual development.

Disadvantages of RASP

Critics of RASP point out the following problems:

  • RASP can have a negative impact on application performance.
  • RASP does not scale well enough to cover a large number of vulnerabilities.
  • As with all testing tools, it is hard to tune the system to catch as many attacks as possible, without false alerts.


There is no silver bullet for security problems. Instead, you need to use a combination of tools and build interlocking layers of security.

Have you had any experience using RASP? Please share your views and comments.

And if you missed any of the previous articles in this series, here are the links:

Leave a Comment

Your email address will not be published. Required fields are marked *

Thank You

We're Excited!

Thank you for completing the form. We're excited that you have chosen to contact us about training. We will process the information as soon as we can, and we will do our best to contact you within 1 working day. (Please note that our offices are closed over weekends and public holidays.)

Don't Worry

Our privacy policy ensures your data is safe: Incus Data does not sell or otherwise distribute email addresses. We will not divulge your personal information to anyone unless specifically authorised by you.

If you need any further information, please contact us on tel: (27) 12-666-2020 or email

How can we help you?

Let us contact you about your training requirements. Just fill in a few details, and we’ll get right back to you.