100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

Runtime Application Self-Protection (RASP)

AdvancedTechnique6.2K learners

Runtime Application Self-Protection (RASP) is a security technology that runs inside a production application, monitoring its own execution in real time and automatically detecting and blocking attacks — such as injection attempts or…

Definition

Runtime Application Self-Protection (RASP) is a security technology that runs inside a production application, monitoring its own execution in real time and automatically detecting and blocking attacks — such as injection attempts or malicious payloads — as they occur, without relying solely on external network-layer defenses.

Overview

RASP takes the instrumentation approach pioneered by IAST and applies it to production, shifting from observe-and-report during testing to detect-and-block during live operation. A RASP agent is embedded within the application runtime (via language-specific hooks, similar to how an IAST agent instruments code, or via runtime library interception), giving it visibility into the application's actual internal state — the code executing, the data flowing through it, and the context of each operation — that external, network-layer defenses like a traditional Web Application Firewall (WAF) simply don't have access to. Because a WAF inspects only the raw HTTP request and response traffic from outside the application, it must rely on pattern matching against known attack signatures, which can be evaded by novel encodings or produce false positives on legitimate traffic that happens to resemble an attack pattern. RASP, by contrast, can make blocking decisions based on what's actually happening inside the application: for example, rather than trying to guess from an HTTP request whether a string might be a SQL injection attempt, a RASP agent can observe that tainted, request-derived data is about to reach a raw SQL execution call within the application's own code and block that specific database call in real time, regardless of how the malicious payload was encoded or obfuscated in transit. This contextual awareness generally gives RASP lower false-positive rates than perimeter-based defenses for the attack classes it covers, and it protects the application even when deployed behind infrastructure a WAF might not cover, or against attacks that originate from within the network rather than over the public internet. RASP is not a replacement for earlier-stage practices like SAST, DAST, and secure coding — it is a last line of defense that mitigates the impact of vulnerabilities that made it into production despite those earlier controls, rather than eliminating the vulnerabilities themselves. It also introduces runtime performance overhead and, like any automated protection, can occasionally interfere with legitimate application behavior if not carefully tuned. RASP is commonly deployed alongside a WAF and other runtime monitoring as part of a defense-in-depth strategy, with commercial offerings from vendors like Contrast Security, Signal Sciences (now part of Fastly), and Imperva.

Key Concepts

  • Runs embedded within the production application runtime, not at the network perimeter
  • Monitors and blocks attacks in real time based on internal application context
  • Can detect malicious data flow (e.g., tainted data reaching a raw SQL call) directly
  • Generally lower false-positive rate than perimeter defenses like a WAF for covered attack classes
  • Protects against attacks a WAF might miss due to encoding, obfuscation, or internal origin
  • Acts as a last line of defense, not a substitute for fixing root-cause vulnerabilities
  • Introduces some runtime performance overhead from instrumentation
  • Typically deployed alongside a WAF as part of defense-in-depth

Use Cases

Blocking exploitation attempts against known or unknown vulnerabilities in production
Providing an additional protection layer for legacy applications that can't be quickly patched
Mitigating zero-day exploitation while a permanent code fix is developed
Protecting applications from attacks originating within internal networks
Reducing false positives compared to signature-based perimeter defenses
Adding defense-in-depth alongside WAF and other runtime monitoring tools

Frequently Asked Questions

From the Blog