{% set baseFontFamily = "Open Sans" %} /* Add the font family you wish to use. You may need to import it above. */

{% set headerFontFamily = "Open Sans" %} /* This affects only headers on the site. Add the font family you wish to use. You may need to import it above. */

{% set textColor = "#565656" %} /* This sets the universal color of dark text on the site */

{% set pageCenter = "1400px" %} /* This sets the width of the website */

{% set headerType = "fixed" %} /* To make this a fixed header, change the value to "fixed" - otherwise, set it to "static" */

{% set lightGreyColor = "#f7f7f7" %} /* This affects all grey background sections */

{% set baseFontWeight = "normal" %} /* More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set headerFontWeight = "normal" %} /* For Headers; More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set buttonRadius = '40px' %} /* "0" for square edges, "10px" for rounded edges, "40px" for pill shape; This will change all buttons */

After you have updated your stylesheet, make sure you turn this module off

Buzzword Sink or Swim?

by Ed Adams on July 18, 2017

Security Buzzwords: Sink or Swim?In the cyber world, we have an odd propensity to define everything as new and/or a breakthrough.  While having spent the last 20 years of my career in this space, my mechanical engineering degree rears its ugly head and causes me heartburn when this happens. In the non-cyber engineering world, we continually improve the methods (i.e. processes) and elements (technology/components) and speak more in terms of evolution versus revolution. 

As a result, the cybersecurity space tends to generate more buzzwords than most. Remember NAC? DLP?  They all sound great “on paper” but when put to the test in the real world, either the blemishes become apparent or we realize we’ve really been doing this all along in some way (does “cloud” ring a bell? Rackspace has been around for decades). But then the next buzzword comes along and we spin around that.  

This led me to come up with this blog series where I’ll shed some light on a buzzword each month, providing some background on the buzzword and then give you my 2 cents on its likelihood to “Sink or Swim?” All done in efforts to learn, discuss, and unearth (and to have a little fun). 

This month’s Buzzword Sink or Swim is RASP (Run-time Application Self-Protection)

A self-defending application (remember Oracle’s similar campaign a few years back?), what a great sounding thing! An application that can identify and protect itself against incoming threats — who wouldn’t sign up for that? Gartner did its part to fuel the hype, too, calling RASP “transformational” at their 2015 IT Security & Risk Management Summit. RASP had been on many radar screens for a year or two prior (Gartner talks privately a lot before they start talking publicly.) A few RASP startups appeared. HP, Checkmarx, and Veracode all started talking about RASP products they had (or had “in the lab”)… and then reality hit. RASP is very difficult to get right. On a call earlier this year, an investor with >$50m into an application security technology vendor called it “technologically infeasible.”

Personally, I spec’d out a RASP solution in 2007 (called it SharkTank, 2 years before the TV show of the same name first aired) that enabled self-defending applications. I am a nerd and tech junkie at heart; unfortunately, we couldn’t get SharkTank much past slideware because it was technically very difficult — nearly impossible in 2009 in fact. 

The promise of RASP

As with all buzzwords, there is upside, promise, and potential.  From an application security and RASP perspective:

  • We need security built into applications (via secure SDLC) as well as in deployment for defense in-depth (defense in-depth is good)
  • Software can change itself based on input. Hardware (and thus most network security systems, e.g., IPS) is a lot more challenging to change in real-time than is software. The concept that an application can identify an input, e.g., a SQL injection attack such as ‘OR 1=1—, and then edit a software-based blacklist on the fly (in this case perhaps the app didn’t exclude “‘” in its current list) is nothing new, and is a premise upon which RASP is based. 
    • Here’s the rub: the application has to identify EVERY inbound threat/attack correctly, AND have an effective countermeasure for each attack. Even network-based IDS solutions can’t identify all attacks correctly. It’s even more complicated at the software layer. Multiply that complexity by the exact match for each unique software-based attack and that’s the matrix (assuming you stay in 2 dimensions) that RASP must nail to be effective. 
  • If RASP can be even 50% effective, it would give IT teams more time to fix issues whilst the RASP-enabled app is batting away easily identified attacks. 

The reality of RASP

Also with all buzzwords, there is downside, disillusionment, and disappointment:

  • If we are realistic as to where we are today, as an industry we all still long for the "silver bullet” to solve our insecure application riddle… some technology to solve our biggest problem(s).
  • RASP, like many AppSec solutions, has the potential to make development teams lazy and less concerned about security because they think RASP will cover up their warts. This false sense of security is something we see with firewalls, WAFs, and other operational technology. 
  • Let’s accept we are years away from an effective RASP solution, if we can ever achieve one. We have barely mastered intrusion detection in network space, let alone prevention (which is dependent on accurate detection). 

The future of RASP

If I were to tackle the RASP challenge today (as opposed to my grandiose slideware solution of 2007), I would start by attacking one problem/threat/attack type at a time — such as the example I used above, SQL injection. Pick my favorite list: OWASP Top 10? Why not. Then move on to XSS once I’ve mastered SQL injection. Start with the top of the list (most common/serious threats) and move down the list methodically. 

I want to see a working, comprehensive RASP solution. I would BUY a working, comprehensive RASP solution. But the path we’re on now is not a path to success as I see it. I see another buzzword being beat to death in the chase of yet another promise that can’t be delivered upon.

Does this buzzword Sink or Swim?

RASP SINKS!

iStock-491783321.jpg

 

 

 

 

 

 

 

 

 

 

 

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

<Bonus Round>

What’s the funniest thing you’ve heard someone say about RASP?

Me: RASP is Random Application Semi-Protection or Real-Time Application Semi-Protection

Please add in additional comments. I’d love to hear your answer!

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

Do you have any buzzwords that you want us to Sink or Swim?

 Please don’t hesitate to comment and we will add them to future posts.

Up next month, “Secure DevOps.”

Topics: application security, RASP, Run-time Application Self-Protection

Most Recent

What's Trending

Featured Resource