RASP protects applications from within during runtime. Unlike WAFs that sit in front of your app, RASP instruments the application itself to detect and block attacks.
Traditional WAF:
┌─────────┐ ┌─────────┐ ┌─────────────┐
│ Request │ ──▶ │ WAF │ ──▶ │ Application │
└─────────┘ └─────────┘ └─────────────┘
│
(Pattern matching)
RASP:
┌─────────┐ ┌───────────────────────────────┐
│ Request │ ──▶ │ Application │
└─────────┘ │ ┌─────────────────────────┐ │
│ │ RASP Agent (Embedded) │ │
│ │ • Monitors execution │ │
│ │ • Blocks attacks │ │
│ │ • Has runtime context │ │
│ └─────────────────────────┘ │
└───────────────────────────────┘
| Aspect | WAF | RASP |
|---|
| Position | Network perimeter | Inside application |
| Context | HTTP layer only | Full runtime context |
| False positives | Higher | Lower |
| Bypass resistance | Lower | Higher |
| Performance impact | Low | Medium |
| Deployment | Network config | Code/agent integration |
| Visibility | Limited | Complete |
| Attack Type | How RASP Detects It |
|---|
| SQL Injection | Monitors database driver calls for injected SQL |
| Command Injection | Intercepts OS exec calls with tainted input |
| Path Traversal | Tracks file operations with user-controlled paths |
| XXE | Monitors XML parser for external entity loading |
| Deserialization | Blocks dangerous class instantiation |
| SSRF | Validates HTTP client calls against whitelist |
| Tool | Language | Type |
|---|
| OpenRASP (Baidu) | Java, PHP, Node.js | Agent-based |
| Sqreen (acquired) | Python, Node.js, Ruby | SaaS + Agent |
| ModSecurity (with CRS) | Any (reverse proxy) | WAF/RASP hybrid |
| Tool | Languages | Features |
|---|
| Contrast Security | Java, .NET, Node, Python, Go, Ruby | Full RASP + IAST |
| Imperva RASP | Java, .NET | Enterprise scale |
| Signal Sciences (Fastly) | Any (module) | WAF + RASP |
| Dynatrace AppSec | Java, .NET, Node, PHP, Go | APM + Security |
wget https://github.com/baidu/openrasp/releases/download/v1.3.7/rasp-java.tar.gz
tar -xzf rasp-java.tar.gz
java -jar RaspInstall.jar -install /path/to/tomcat
security:
sql:
policy: log
command:
policy: block
file:
policy: log
xxe:
policy: block
whitelist:
sql:
- "SELECT * FROM users WHERE id = ?"
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
template:
spec:
containers:
- name: app
image: my-app:latest
env:
- name: JAVA_TOOL_OPTIONS
value: "-javaagent:/rasp/rasp.jar"
volumeMounts:
- name: rasp-agent
mountPath: /rasp
initContainers:
- name: rasp-init
image: rasp-agent:latest
command: ['cp', '/agent/rasp.jar', '/rasp/']
volumeMounts:
- name: rasp-agent
mountPath: /rasp
volumes:
- name: rasp-agent
emptyDir: {}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: rasp-alerts
spec:
groups:
- name: rasp
rules:
- alert: RASPAttackBlocked
expr: increase(rasp_attacks_blocked_total[5m]) > 10
for: 1m
labels:
severity: warning
annotations:
summary: "High number of attacks blocked by RASP"
| Scenario | Recommendation |
|---|
| High-value applications | Use RASP + WAF |
| Regulatory compliance | RASP provides deep visibility |
| Legacy applications | WAF may be easier |
| Microservices | Consider service mesh + RASP |
| Development/staging | Use in monitoring mode |
| Production | Start with logging, graduate to blocking |
- Start in monitoring mode: Log attacks before blocking
- Tune for your app: Whitelist legitimate patterns
- Monitor performance: RASP adds overhead (~2-5% CPU)
- Integrate with SIEM: Feed RASP logs to security monitoring
- Layer defenses: Use RASP alongside WAF, not instead of
In the next module, we'll tackle secrets management and infrastructure security.
:::