YOU ARE HERE: HOMERuntime Application Self-Protection (RASP)

Runtime Application Self-Protection (RASP)


Veracode Runtime Protection

Enable secure application deployments without operational maintenance

Organizations like yours are increasingly leveraging software applications you build, compose or buy to gain competitive advantage. Development teams are pressured to deliver quality work on-time, often at the expense of security. The ability to exploit software vulnerabilities and the potential of significant financial gain has made web applications the most common breach vector. Mitigating a vulnerability may not be an option due to time to market or lack of access to the source code. Web application firewalls (WAFs) are frequently deployed as a quick fix, but they require a lot of maintenance and often run in monitoring-only mode for fear of false positives.

52% of applications scanned by Veracode contained XSS flaws, 35% contained SQLi flaws.

~ Veracode Internal Data 2016

Veracode Runtime Protection defends against application-layer attacks in real-time. Unlike a WAF, Veracode Runtime Protection is simple to deploy and does not require engineering resources to implement and tune it because it uses a technology called runtime application self-protection (RASP). Veracode Runtime Protection provides more effective protection, is harder for attackers to evade, and has much higher accuracy – so you won’t be distracted by noisy false positives. You can even deploy it in pre-production to ensure its functionality is tested as part of your QA process. Third-party and legacy applications can be secured without requiring code changes or interrupting engineering priorities.

Protect applications at runtime without touching code

Veracode Runtime Protection does not require you to change source code. It is installed in minutes on your application server and instantly begins monitoring and protecting you from attacks – no tuning required. The technology is great for defense in depth or as an easy option to start your application security program. Even if you operate legacy or third-party applications, or use open source components in your web app, Veracode Runtime Protection provides an excellent option for mitigating vulnerabilities. No development effort is required to get Veracode Runtime Protection installed and running.

Monitor and block attacks, integrate with security operations

You can set Veracode Runtime Protection to monitor or block. In monitoring mode, it alerts you about active threats and logs an audit trail. In blocking mode, Veracode Runtime Protection also prevents the attack from being executed. Attack data is logged in a central management console and can be fed into a SIEM to alert the security operations team.

Broaden your options for reducing application risk

Risk management is all about business trade-offs: With Veracode Runtime Protection, you add the option to instantly mitigate certain vulnerabilities without involving developers as an alternative to requesting a code change, so you’re increasing development speed while managing your risk. Veracode Runtime Protection helps companies comply with regulations, such as PCI DSS, by providing an automated solution that detects and prevents web-based attacks.

[WAFs have a] single point of failure; likely to fail open under high load, leaving the formerly protected web application vulnerable.

~ SANS Report

Experience easier maintenance and more accuracy than with a WAF

Unlike web application firewalls (WAFs), Veracode Runtime Protection requires no tuning. It is easy to deploy in pre-production to ensure it successfully blocks attacks. It has higher accuracy because it has insight into application logic and configuration, event and data flow, executed instructions and data processing. WAFs have a higher false positive rate because they lack the necessary means to ensure accurate detection of application vulnerabilities and protection against application-level attacks.

Run an integrated application security program, not just a tool

Veracode has over a decade of application security expertise and can help you understand exactly how you should deploy Veracode Runtime Protection within the greater context of your application security program. Use attack data to prioritize vulnerabilities discovered from Veracode Static Analysis, including evidence such as stack traces, database queries, and HTTP requests. Combine Veracode Runtime Protection with Veracode Web Application Scanning (WAS) to test your application interactively. Veracode WAS acts as a simulated attacker, while Veracode Runtime Protection alerts you on which attacks actually make it through to the application. This achieves interactive application security testing (IAST) to prioritize findings from your dynamic scans.

Contact E-SPIN today to see how Veracode Runtime Protection can defend your applications.