Search Blog for

WAF and RASP: Best Practice for Defense in Depth
,

WAF and RASP: Best Practice for Defense in Depth

Why do you need a RASP solution if WAF’s layer of defense is so powerful?

The simple answer is that no single security product can provide protection for all threat vectors. A comprehensive IT security strategy includes risk-appropriate controls implemented where they can provide maximum efficacy, with integrated analytics throughout.

The Imperva WAF (Web Application Firewall) is an essential part of a layered defense-in-depth strategy for protecting applications. It allows legitimate traffic to flow to the application behind but keeps bad traffic out, preventing critical threats such as unauthorized data exfiltration which targets the types of vulnerabilities found on the OWASP Top 10 list.

Meanwhile, Imperva RASP (Runtime Applications Self-Protection), may sound similar to a WAF, as it too is designed to detect and block exploit payloads targeting vulnerabilities like SQL Injection and Cross-Site Scripting.

Especially with recent enhancements to the Imperva RASP, including language-agnostic protection with cloud-native insights, it’s worth taking a closer look at the combined benefits of using WAF and RASP in support of your critical asset and data protection security architecture.

Web Application Firewall

The WAF sits in front of applications, inspecting incoming HTTP request traffic for known attack payloads and abnormal usage patterns. When a suspicious payload or usage pattern is detected the request can be reported or reported and blocked. It allows for blocking of IP addresses and offers customization of rule-sets, in addition to providing real-time alerts and reporting.

The Imperva WAF separates known, bad traffic from good traffic and ensures that your application is not processing information or requests which do not pertain to the application’s intended functionality. An additional benefit of the solution is lowering application infrastructure costs.

The downside to most WAFs is they must be tuned in order to block exploits. There needs to be a reactive approach identifying exploit payloads before applying protections. This can allow false negatives or unwanted false positives to be introduced especially in fast moving application development with agile development practices.

Run-Time Application Self-Protection (RASP)

The RASP approach is to tightly couple with the application code by plugging into the application at the server level itself.

Imperva RASP uses a contextual awareness technique known as Language Theoretic Security (LangSec) to detect threats and provide assurance that a particular payload will not be able to exploit the application code. RASP technology inspects the complete (and oftentimes transformed or obfuscated) payload in the context of how the application will use it only when the application will attempt to use the data.

The result is low false positives and high visibility into vulnerabilities, which include weaknesses previously unknown to the organization. RASP does not require continual maintenance or significant tuning. It provides location appropriate security complementing the WAF and the other elements of an Application Security solution suite.

Whilst the policies of the SDLC may mandate that vulnerabilities found with security testing tools (e.g. DAST) must be remedied before the application gets to production, it is often the case that business pressures mean the application is released with known issues. Application code is rarely bug-free. And since developers typically do not have strong security training, the case for a solution that provides default protection against exploits at the application level becomes very strong.

The benefits of the RASP approach are numerous as it is able to provide application awareness and context sensitive protection. At this level it will integrate into the software development lifecycle (SDLC) and be able to prevent zero-day attacks and to secure legacy applications.

The Case for WAF and RASP

Attack Detection

Security in front of the application, such as with a WAF, is excellent protection against known attacks, with WAF signatures great for addressing previously known exploit payloads. But frequent application code changes and 3rd party libraries mean the environment is under constant change and edge protections must be reactive or risk false negatives or unwanted false positives.

In this case, RASP LangSec comes into play when addressing previously unknown exploit payloads. The Imperva RASP solution is signature-free, evaluating each payload in the same way as the application and its supporting components do in order to identify exploit attempts, providing application security by default. Because it is a solution in the right place, it minimizes false positives.

For a proper security architecture, different controls need to be implemented at different points in a defense in depth strategy. If the attack gets through the control at layer 1, using the same kind of control at layer 2 would be pointless.

Blocking More Attack Traffic

With the traditional network borders essentially erased as organizations transition to cloud infrastructures, it’s increasingly difficult to determine friend from foe based upon the origin of the connection. In most WAF deployments inspection is focused on “north-south” or outside-in traffic. Whereas, RASP is often oriented toward “east-west” or inside-to-inside traffic.

WAFs are primarily focused on keeping untrusted outsiders out. RASP can prevent trusted insiders or autonomous microservices from causing harm.

Making Security Part of DevOps

In many organizations WAFs are maintained by a dedicated, specialized team – either external (for example Imperva or a Managed Security Services Provider) or internal (for example, a WAF Admin Team in Security Operations).

However, the industry is rapidly consolidating Operations with Development as it continues to evolve into “the cloud”. DevOps means the Continuous Integration / Continuous Delivery pipeline is the default mechanism to set up and enforce security controls. RASP is just part of the application and naturally fits into this model.

Defense-in-depth strategies must be dynamic as both the IT and adversary landscape is constantly evolving. Security must be part of the DevOps conversation…besides there are never enough trained Security personnel. Why not leverage Development best practices, technologies and personnel?

When evaluating the merits of RASP vs. WAF and determining which is better, the reality is that RASP and WAF are complementary. The WAF protects known, bad traffic and RASP provides location-appropriate security enforcement in the context of the application.

The two different approaches to security provide a defense-in-depth solution, as part of a solid security strategy to combat the many different forms of attacks today.

A multi-layered approach, such as Imperva Application Security provides protection and multi-sensor analytics across your Web Application Firewall (WAF), DDoS Protection, Advanced Bot Management, and RASP, for a full solution stack to secure and monitor application access.

Find out more about Imperva RASP, its recently-expanded support, and ability to protect cloud native workloads in our press release.