Agile protection, and more broadly, agile application security, brings adaptability and automation to application security. It fits nicely with DevOps, one of the main trends today in application development. As you probably know, DevOps introduces automation into the SDLC by treating everything as code. This includes treating as code elements such as server infrastructure, deployment management, and security.
If we focus on application security, Web Application Firewalls (WAF) are one of the most popular options. However, WAFs have not been adapting to DevOps practices: their technology is antiquated, they only offer perimeter-based protection and they lack proper cloud support.
Additionally, WAFs introduce a single point of failure and can add latency, which impacts the user’s experience. These are not problems that can be solved using AI or learning processes. We have talked about it in previous posts and it was essentially our key message at the 2019 RSA Conference.
WAFs don’t make your code safer
On top of the points above, WAFs do not contribute to a progressive strengthening of the application. WAFs are only useful if and while they are correctly deployed in blocking mode. In other words, WAFs don’t do much for developers.
Industry best-practices such as “push left,” which means that the implementation of application security should happen earlier in the SDLC, are great on paper, but in reality, developers lack helpful advice on the security of their code to fully adopt push left practices.
Lastly, teams are releasing Applications faster and more frequently, often daily, which compounds these issues. WAFs do not scale in this kind of environments.
How to bring agile protection to your applications
Runtime Application Self-Protection (RASP) products leverage advanced instrumentation technology to prevent known and unknown attacks. RASPs enjoy better visibility of the application structure and also follow the request data flowing in real time. But RASP Protection can help developers as well, and we want to focus on this advantage today.
Application security assessment and validation should happen at every stage of the app lifecycle: Development, QA, and Production. This means that the appsec process must be agile and repeatable. RASP Protection, by being part of your application, makes possible to incorporate security throughout the entire SDLC. The term that the industry is adopting for this practice is DevSecOps, or agile protection.
Teams wanting to take agile protection to the next level should consider implementing frameworks that are secure by design. Security by design means that the frameworks incorporate automatic security protections. Traditionally, the defense of this class of risks is based on manual (custom) application-specific validations. However, some design frameworks automate the protection.
Let’s review five key benefits that RASP technology, and in particular, Hdiv Protection, brings to developers.
Five key Hdiv RASP benefits for developers
1. Security by design: use frameworks that make your applications secure from the very beginning. The combination of an agent plus secure frameworks enables self-protected apps. Not many developers are security experts. Using frameworks that are secure by default helps closing this gap and empowering your developers.
2. Feedback loops: receive real-time information on the attacks and security position of your applications. Attack visibility means that developers understand precisely how the application is being attacked, just as it happens. Developers can review full attack information, which includes detailed diagnosis information, with tools that they already use, such as Jira, or syslog clients. This information is vital to progressively create safer applications.
3. Actionable advice: RASPs will provide the exact location of the vulnerability in the codebase of the application. Coupled with the feedback loops described above, developers can react to this information and improve the security of the application quickly. The information would include the frequency of the attacks, and the severity of the vulnerability, which helps triaging and prioritizing patches.
4. Protection becomes code: code is easier to maintain. It can be included in traditional repositories, and becomes simply another code artifact. This means great portability, and cloud support. Developers appreciate that the applications are protected wherever they go.
5. DevOps-friendly: RASP protection works great with your CI/CD tools. There are no learning processes or lengthy configuration steps every time that the code changes. Once the application deploys, it is automatically protected from the inside.
Thanks for reading! If you are curious about Hdiv Protection (RASP), drop us a note (roberto at hdivsecurity dot com) and we will be happy to review in detail.